WannaCry red screens
WannaCry red screens

While Windows 10 avoided infection by WannaCry last month, security researchers at RiskSense have shown how the malware could be ported to the OS and infect it.

WannaCry uses EternalBlue, an exploit from the NSA stolen last summer and published this year. The researchers said that EternalBlue was "one of the most complex exploits ever written."

They added that this exploit is “highly dangerous in that it can provide instant, remote, and unauthenticated access to almost any unpatched Microsoft Windows system, which is one of the most widely used operating systems in existence for both the home and business world.”

Researchers at RiskSense created a Metasploit module that could evade security features and mitigations deployed by Microsoft in its latest operating system, including Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). 

Other changes were also made. Researchers removed the DoublePulsar backdoor, which according to researcher were not necessary for the exploit to work. As this was deleted, the port was developed to install an Asynchronous Procedure Call (APC) payload, which allowed execution without a backdoor. 

“By removing superfluous fragments in network packets, our research makes it possible to detect all potential future variants of the exploit before a stripped-down version is used in the wild. We also substantiated the premise that the original exploit's DOUBLEPULSAR payload is a red herring for defenders to focus on, as stealthier payload mechanism can be crafted,” said the researchers in a paper.

The researchers said that the idea behind this was to help in prevent future attacks, rather than give hackers information on how to compromise Windows 10.

“We've omitted certain details of the exploit chain that would only be useful to attackers and not so much for building defences. The research is for the white-hat information security industry in order to increase the understanding and awareness of these exploits so that new techniques can be developed that prevent this and future attacks. This helps defenders better understand the exploit chain so that they can build defences for the exploit rather than the payload," the researchers added.

The ported exploit was created to work on Windows 10 x64 version 1511 (November Update). This version is still supported by Microsoft.

 Kyle Lady, senior R & D engineer at Duo Security, told SC Media UK that exploits have a life expectancy directly tied to how easy it is to move from a simple proof-of-concept to a fully weaponised exploit with a sophisticated payload.

“A vulnerability can be partially mitigated if conditions hinder weaponisation without a substantial effort. For example, Windows 10 has more advanced built-in defences, so there are more roadblocks than Windows 7. In this case, extra details surrounding the MS17-010 vulnerability will help an exploit coder shorten that timeframe to weaponise for Windows 10,” he said.

Michal Salat, director of Threat Intelligence at Avast, told SC Media UK, that by ensuring they have the latest digital security installed, maintaining their devices by keeping all apps and programs up to date, and being vigilant about not opening suspicious emails and attachments, users can prevent most malware based attacks. “Additionally, business Windows users can limit the number of services/ports open to the internet and block ports on the perimeter firewall, making SMB unreachable from the internet could also help,” he said.

Andy Struys, KACE team leader, EMEA, Quest, told SC Media UK that as evidenced by the events of past weeks, hackers are getting more sophisticated and finding new ways around the organisational defensive measures in place.

“The best mitigation against falling foul of this type of attack is a robust procedure for patching Windows 10, quickly identifying and applying critical updates across your entire network to ensure that no machines are left vulnerable to the exploit.”