1

WannaCrypt uses an SMB vulnerability to spread. Can we not use this vulnerability to create a similar worm, but one which patches for WannaCrypt instead of affecting it.

  1. Our worm infects a computer on network using the same vulnerability.
  2. And then spreads itself to other computers on the network.
  3. Then patches the infected computer.

Ignoring potential legal issues, is this advised?

To make sure our worm doesn't go out of control, we can rate limit it or ask it to stop by validating a domain (similar to WannaCry).

The aim is not to reverse the damage done, but to protect unpatched PCs from being infected by WannaCry.

Is this method even advisable? Not just against WannaCrypt but against any other similar but worms.

Aravind Voggu
  • 123
  • 6
  • Exactly what you describe happend after the MS Blaster outbreak in 2003, an event that was quite similar to the current outbrake (minus the ransome). [Source.](http://www.itworld.com/article/2804460/security/new-variant-of-blaster-worm--fixes--infected-systems.amp.html) – Anders May 20 '17 at 19:25

2 Answers2

4

That would definitely possible. In fact, a couple of days ago it was discovered that, even before the WannaCrypt outbreak, another piece of malware was infecting computers using the ETERNALBLUE exploit and secured the systems against ETERNALBLUE afterwards. (Said malware didn't install the patch, however; instead, it blocked the port used by SMB.)

But, it wouldn't make much sense for a vigilante to create an anti-WannaCrypt worm at the moment; at this point, WannaCrypt has already spread so widely that pretty much all targeted systems that are connected to the internet have either been patched or got infected.

(Although, because WannaCrypt crashed when infecting XP computers, those could still have escaped infection without being patched, there will probably still be some unpatched XP computers out there that could be targeted by an improved version of WannaCry or similar malware.)

user2428118
  • 2,768
  • 16
  • 23
  • The question is really if this would be possible after the fact, right now for example. Sure you can create a worm, but it wouldn't fix the damage already done. There is a trick for XP to retrieve prime number from memory, but that would be way too late now – Yorick de Wid May 20 '17 at 19:15
  • Thanks for the answer. It's probably too late to patch for WannaCrypt, but how far is this advisable? – Aravind Voggu May 20 '17 at 19:42
-1

No, the problem is not to get things patched. The problem is reversing the encryption process, which is close to impossible if you do not posses the private key.

Besides, the patching process you are talking about is called Windows Update, which could have prevented vulnerable systems to get infected. The case for Windows XP is slightly different ofcourse, but then again, its end of life.

Yorick de Wid
  • 3,346
  • 14
  • 22
  • 1
    Hi! The aim is not to decrypt already infected computers, but to protect others from being infected. I added that as an edit. Thanks – Aravind Voggu May 20 '17 at 19:09