Windows 10 Not Immune to WannaCry
Ashley Allen / 8 years ago
When the WannaCry ransomware hit last month, researchers claimed it could only infect systems running Windows 7 or earlier. Within days, it had infected Windows 8 and 8.1 machines, though Windows 10 remained unaffected. Security researcher, therefore, thought Microsoft’s latest operating system was immune to the malware. This assumption, as it turns out, was false.
WannaCry on Windows 10
WannaCry used the EternalBlue NSA exploit, leaked by the Shadow Brokers in April, to infect Windows machines. Researchers from RiskSense, have now ported EternalBlue to infect Windows 10 systems. The team stripped the DoublePulsar backdoor exploit from the malware and replaced it with a new custom insertion mechanism. The new iteration was then able to use the NSA exploit on Windows 10. However, only pre-Anniversary Update versions were found vulnerable. Later updates proved immune. Both Windows 10 Redstone 1 (April 2016) and Windows 10 Redstone 2 (Creators Update, April 2017) blocked Data Execution Prevention bypass attempts used by EternalBlue.
Sean Dillon and Dylan Davis, researchers from RiskSense, report [PDF]:
“The RiskSense Cyber Security Research team slowly dissected the original exploit, discovering parts of the data that were deemed unnecessary for exploitation. By removing superfluous fragments in network packets, our research makes it possible to detect all potential future variants of the exploit before a stripped-down version is used in the wild. We also substantiated the premise that the original exploit’s DOUBLEPULSAR payload is a red herring for defenders to focus on, as stealthier payload mechanism can be crafted.”
The research is a warning to Cybersecurity companies: forget about DoublePulsar. The payload method is no longer for EternalBlue’s proliferation.
Do Windows 10 Users Need to Worry?
Yes and no. Dillon and Davis’ work does demonstrate that Windows 10 is not safe from WannaCry-style attacks. However, their research ethically conducted. God bless the White Hats. A malevolent coder, though, could potentially create their own version. In which case, make sure to update Windows 10. If you’re concerned, be sure to install all updates listed in Microsoft’s MS17-010 security bulletin. Better safe than sorry.
Between the recently released EternalRocks and the promise of more NSA hacking tools this month, prepare for more developments soon. Microsoft will have its work cut out. Pray that it does and that we don’t.