While WannaCry could infect machines running Windows XP, it was unlikely to spread from these machines as the OS was more than likely to crash before further damage was done.
According to a blog post by Kryptos Logic researchers, tests carried out on machines running Windows XP found those vulnerable to MS17-010 – the SMB vulnerability – including Windows XP with Service Pack 2, Windows XP with Service Pack 3, Windows 7 64 bit with Service Pack 1, and Windows Server 2008 with Service Pack 1.
The team initially used as its primary infection vector a Windows 2008 Server with Service Pack 1, where the WannaCry binary was manually executed on the host.
“Upon execution, the ransomware would execute its usual methods for infection and begin encrypting the files on the local filesystem. While encrypting files it will also begin targeting vulnerable hosts on the network for MS17-010 and for hosts with DoublePulsar installed,” said the researchers.
They first set up a test to examine propagation via the EternalBlue exploit.
“The primary infection found the hosts and attempted to exploit it via SMB, this surprisingly turned out to be unsuccessful on Windows XP, and the infected host then attempted to send its payload via DoublePulsar which failed as the targets clean installs,” said the researchers.
Windows XP with Service Pack 2 didn't get infected while Windows XP with Service Pack 3 suffered from random blue-screen of death (BSOD) but no infection.
Researchers concluded that Windows XP is not safe from infection when the WannaCry binary is executed locally on the host.
“The ransomware will install successfully and encrypt the host's files. That being said, since the main infection vector here was the SMB exploit, it seems like XP did not contributed much to the total infection counts,” said researchers.
Researchers said it was clear that Windows XP systems are vulnerable to EternalBlue, but the exploit as implemented in WannaCry does not seem to reliably deploy DoublePulsar and achieve proper RCE, “instead simply hard crashing our test machines”.
“The worst case scenario, and likely scenario, is that WannaCry caused many unexplained blue-screen-of-death crashes,” added the researchers.
Simon Edwards, European cyber security architect at Trend Micro, told SC Media UK that while it is certainly true that Windows XP systems had a tendency to ‘blue screen' more than their later counterparts, he has not seen or heard any evidence of this happening in the work his firm carried out with the NHS at the time of the attack.
“But we certainly saw it affect many systems and spread very quickly. But the important message, certainly where the NHS is concerned is ‘why' these systems were still on these older OSs,” he said.
“This is because many of these systems couldn't be patched or upgraded, as they are part of a much more complex system like a MRI scanner, or blood analysis system. The hospitals have no control over these systems, and their vendors (who have the control) are reticent to fix the problem.
Kyle Lady, senior R&D engineer at Duo Security told SC that XP machines still can get infected and spread via EternalBlue, had the author correctly written the attack code.
“Additionally, if an attacker were to get a user to run the WannaCry ransomware via another means, such as phishing or drive-by downloading, their XP system would still fall prey to the ransomware component,” he said.
Lady added that faster application of patches is one of the harder problems in modern software engineering.
“The issue lies primarily with the amount of user interaction that is often required to update the operating system combined with concerns about updates breaking existing software functionality and/or user experience, which has happened in the past. Organisations often hold back Windows updates for IT teams to test them first, which is responsible from the perspective of ‘let's not break our users' workflows', but it delays the patch timeline until IT approves it,” he said.
The researchers also released an estimate of the true magnitude of the WannaCry attack. They analysed sinkhole data and found that far from the widely reported figure of 200,000 affected systems, the true figure was probably in the range of 2-3 million – and it could have been much worse.“Our estimate is a few hundred thousand systems were disrupted by the ransomware payload until the kill switch was activated followed by a conservative 2 to 3 million affected systems which were not disrupted by the payload. Without the mitigating effect of the kill-switch, this number could have plausibly infected vulnerable systems well into the tens of millions or higher,” the Kryptos team wrote.