What was the Wannacry attack???
Wannacry attack was the misuse of a vulnerability in the SMB protocol of Microsoft windows operating system that allowed hackers to install a back door and then run arbitrary exploit code.
Wannacry was a combination of 2 exploits, double pulsar and eternal blue.
Double pulsar was responsible for creating the backdoor that allowed the installation of eternal blue.
Eternal blue was responsible for encrypting the files on your system and running a code asking for ransom.
What is an SMB protocol?
Let’s say you a working in Mumbai. You create a file and want others sitting in other locations like Lisbon, London, Manilla to access the file and update it or download it. You will save the file in a shared drive allocated for this purpose.
The shared drive is actually a partition in the file server.
when other computer want to access the file, they will to use a communication mechanism where those computers ask for the access to the file and the server acts like the gatekeeper and provides access. The communication protocol used for this purpose is the SMB protocol.
The other computers are the SMB clients and the file servers is running the SMB server.
SMB protocol is one of the most common protocols of windows. Samba was developed for the unix operating system and now a file stored on the Unix server can be accessed by a windows operating system.
SMB protocol is also used for Inter process communications (IPC) i.e talking to other computers over a network. It is an application layer protocol and uses port 445.
Double Pulsar ?? Sounds like a galaxy…
To run any exploit on a system, you need a backdoor like any thief would need a backdoor to enter a house. Double pulsar does this i.e, creating a backdoor.
Double pulsar is an exploit code/ malware payload that is built mostly using some low level programming language like versions of C for instance
and injected into the victim’s computer when the victim uses some resource on the internet like downloading an infected file, clicking on an obvious link in an email or even simply accessing an infected website.
The hacker loads the double pulsar code to a file, gets the victim to download the file somehow (The victim uses the SMB protocol to download the file)
or in other terms access the file over a shared network (see the connection!!) and the double pulsar payload runs on the victim’s system, gets access to
the shell environment and opens a backdoor for other exploits to run.You will know if you dig deeper than getting access to the shell means everything.
You could do anything from then on and that’s why most of the exploit codes concentrate on getting the shell access.
Now comes the Eternal Blue exploit…
Now that a backdoor is opened, all the attacker has to do is to send a specially crafted packet to the victim’s system and as the SMB protocol which runs on default on the windows systems does not understand this packet’s malicious nature due to the vulnerability present in the protocol, it accepts the packet.
This specially crafted packet has a payload which will start running shell codes and encrypt the files on your computer without you knowing it and then present the screen for ransom.
Where do these worms come from???
All this needs extreme amount of expertise. These exploits are called Zero-day exploits meaning the vulnerabilities are unknown to the manufacturer which is Microsoft here. NSA (National security agency) developed the exploit after discovering the vulnerability. But they did not release the knowledge to the outside world (This tells me that they are twisted themselves).
Anyways, a very famous dark group of hackers called the ‘The shadow brokers’ got into their database somehow and leaked out the exploit. Shadow brokers then sell such exploits to the highest bidders. They never leak out their customers. Currently, all fingers point to North Korea as the clients.
The customers, whoever they were, started attacking networks.