65

I understand that WannaCry spreads itself by exploiting the SMBv1 vulnerability, which is fixed by patch MS17-010.

Does this mean that even with the patch installed, WannaCry can still infect the computer--if the user downloads and executes it--but not propagate itself through the computer's network?

Does Windows Defender/any current security software block the execution of WannaCry if, say, a user executes it?

Lh Lee
  • 647
  • 1
  • 5
  • 5

3 Answers3

94

If you download and execute WannaCry, it will still lock your files and attempt to infect other unpatched computers in the network.

WannaCry only needs the SMB exploit to get into a system, not to get out. Once it has control of your system, it does not need the exploit to execute arbitrary code, including the worm. The MS17-010 patch protects your computer from being infected through this exploit, but it does not prevent your computer from infecting other machines on the same network if those other machines are not patched.

To protect other computers on the network, you need to block all outgoing traffic to port 445. I've not (yet) seen WannaCry try and circumvent a blocked outgoing port.

There are several variants of WannaCry out there. These all seem to be detected by major antivirus software, including Windows Defender. You can see a full list of antivirus software that detect a particular version on Virus Total, e.g. for this sample. comae.io seems to have a decent compilation of variants found in the wild which you can search for on Virus Total.

knbk
  • 751
  • 4
  • 6
  • 1
    Will these security software stop the execution of WannaCry consistently--or early enough to prevent files from being encrypted? – Lh Lee May 23 '17 at 02:49
  • 1
    @LhLee Security software certainly _can_ block execution of WannaCry, so I'd expect any tool that detects it to block it from encrypting any files. However, I don't have a definitive answer for any particular antivirus. – knbk May 23 '17 at 07:45
  • actually, the patch does protect other machines in the network. If those machines have volumes shared with the first infected computer, then as you said, WannaCry can infect them as well. However, if there are no shared volumes, exploiting MS17-010, WannaCry can move horizontally throughout the network, and therefore, reaching more computers. – The Illusive Man May 23 '17 at 08:50
  • 1
    @LhLee For the ones that are already identified and part of your virus database, sure (this depends on your anti-virus, of course). But there may be variants that can slip through - that depends on how good and aggressive your AV's heuristics are. And needless to say, the only thing that makes WannaCry interesting is the SMB vulnerability - another virus that does the exact same disk encryption is entirely unaffected. The patch basically means that WannaCry is no more dangerous to you than the *other* similar viruses. – Luaan May 23 '17 at 13:45
  • 1
    @yzT Say Alice and Bob are on the same network. Alice has installed the MS17-010 patch, but Bob hasn't. Now Alice manually downloads and runs the WannaCry executable. Even though Alice's system is patched, it will still infect Bob's system. The patch on Alice's system does not protect Bob's system in any way. That's easy to test using two VM's on an internal network and a sample that includes the worm (such as [this one](https://virustotal.com/en/file/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c/analysis/)), and I've run that exact test to verify the behaviour. – knbk May 23 '17 at 15:19
  • @knbk ofc it will infect Bob's computer, because Bob hasn't patched... I'm not sure what you wanted to proof with that example. – The Illusive Man May 23 '17 at 16:50
  • @yzT Then I fail to see the point you are trying to make in your first comment. The main point in my answer is that the patch, when installed on your own system, does _not_ protect other machines in the network. Only installing the patch on those other systems, or blocking outgoing traffic to port 445, can do that. – knbk May 23 '17 at 17:05
  • @knbk you're right, I had misunderstood the OP's question. – The Illusive Man May 23 '17 at 20:23
17

There are two actors in defending against WannaCry.

On the one hand, there is Microsoft, responsible for fixing the worm-like spreadability mode, leveraging as you said the MS17-010 vulnerability and using the exploits EternalBlue and DouplePulsar released by the Shadow Brokers.

On the other hand, there are the antivirus vendors, that need to update their signatures to actually protect the system.

So, if you install the patches (guess you are referring to Microsoft's patches), you're protecting your network from the point of view that you are not allowing the malware to spread through the MS17-010. However, you still need an updated antivirus to protect the files in your system.

UPDATE

For completeness' sake, as knbk pointed out in his answer, WannaCry may infect other machines in the network without exploiting MS17-010. That would be possible if those machines have shared volumes with the infected host, but if that's not the case, WannaCry uses the exploit to move horizontally throughout the network, therefore reaching more computers. Precisely, this worm-like behavior is what made it stands above the rest of ransomware out there, because usually ransomware rely on tricking the user to get infected.

The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
4

Earlier versions of WannaCry didn't spread via SMB, so yes - it's absolutely possible to still get your PC infected with WannaCry.

Read more here: https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware

Bitdefender, Symantec, Norton and probably all major antivirus-software should be able to detect and block WannaCry in their most up-to-date versions.

It was suggested that it first spread via email, but from what I know that is still unconfirmed.

Also be aware that there are multiple versions of WannaCry, and not all of them spread in the same ways.

Martin Fürholz
  • 795
  • 9
  • 21
  • 2
    I was reading an article last night that suggested the opposite - that the initial infections were not from emails "According to ... Malwarebytes ... the malware's operators searched the public internet for systems running vulnerable SMB services, and infected them..." https://www.theregister.co.uk/2017/05/20/wannacry_windows_xp/ – Baldrickk May 22 '17 at 10:19
  • 1
    Quote from the article I linked above: "Symantec identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry. These earlier variants of WannaCry **did not have the ability to spread via SMB**" – Martin Fürholz May 22 '17 at 12:19