This post will discuss some points related to detecting the WannaCry malware that’s causing problems in the last few days. There are lots of good resources about this that are updating frequently, but I may update this post with more details as new variants emerge.
For an earlier discussion of novel ransomware detection, see my post from last summer. (Note that my prediction that 2016 was “Peak Ransomware” did not seem to be correct!)
The big reason why WannaCry spread so quickly is that it uses a recently-discovered vulnerability in SMB, a ubiquitous protocol in Windows networks. Some variants of the malware scan for vulnerable endpoints on the Internet.
The Observable service will automatically alert for many inbound scans, but you can do queries for them as well. From the Observable web portal you can check for these scans with a query:
The filter will look like this:
The results will be shown after the query executes. The table is exportable to CSV. (Note that the screenshot below is just an example set of results; these IP addresses are not associated with the malware.)
The commonly analyzed variants of the malware use a Tor browser to communicate with its command and control servers. To do this, it must download a Tor client.
For sites that have an Observable sensor on-prem (and with DNS visibility), you can get alerts for the initial distribution:
You can also add a watchlist for connections to Tor exit relays, which might be used in routing the traffic to the hidden service.
When there are hits against the watchlist they will show as an alert. Some sample Observations are below.
This, of course, will alert for non-malicious Tor traffic also, so use with care.
The malware attempts to determine whether its being examined in a sandbox environment by connecting to a randomly generated domain name. The registration of one such domain is what led one researcher to temporarily stop the infection.
For sites that have an Observable sensor on-prem (and with DNS visibility), you’ll automatically get alerts for spikes in connection attempts to these domains. You can also look at potential detections from the Observations > Types > Domain Generation Algorithm Observation:
We wrote about this capability a while back.
Windows XP and Windows 2003 were vulnerable to the SMB infection (until the out-of-band patch that was released). These machines are detectable on the network through their ephemeral port selection strategy: they only use ports 1024-5000 when making TCP connections.
The procedure is a little less straightforward than finding the external SMB traffic above, but you can use the Observable Session Traffic query page to try to find such machines:
Getting better visibility into your network and improving your security couldn’t be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.
Detect Threats Faster – Start Your Free, No-Risk Trial