cancel
Showing results for 
Search instead for 
Did you mean: 

WannaCry - If a Windows host is unpatched and accesses other Windows hosts which are patched what are the risks?

Hi All,

Here is a quick overview of scenarios which need to be addressed in relation to WannaCry malware - if someone has knowledge of how the malware spreads, could they please help address the concerns I have.

Scenario 1: One Windows host unpatched and infected with WannaCry connects (via authentication) to a Windows server which is patched - can the infection propagate and result in encrypted files on the Windows server?

Scenario 2: One Windows host unpatched and infected with WannaCry connects (via authentication) to SAN storage to access files. Can the infection attack the files on the SAN and encrypt them?

Scenario 3: On a public Wi-Fi network where BYOD Windows laptops share internet access such as in a public library or university campus - if there is one device infected with WannaCry can the infection propagate to other Windows devices if they are unpatched. I will make the assumption the infected host does not have authenticated access to the other Windows hosts.

If anyone can provide some insight it would be greatly appreciated.

Thanks,

JK

8 Replies
Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 2 of 9

Re: WannaCry - If a Windows host is unpatched and accesses other Windows hosts which are patched what are the risks?

I'm consulting with the other moderators about who is the best person to answer this.

You don't want guesswork you need something authoritative, so we'll try to find

someone, maybe from McAfee Labs, who can give you that answer.

Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 3 of 9

Re: WannaCry - If a Windows host is unpatched and accesses other Windows hosts which are patched what are the risks?

I have contacted the Incident Response Manager from McAfee Labs on your behalf. Hopefully David will add to the discussion in short order. It is late here in the U.S. and most likely will be tomorrow before we hear from him.

Cliff
McAfee Volunteer
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 4 of 9

Re: WannaCry - If a Windows host is unpatched and accesses other Windows hosts which are patched what are the risks?

Discussion successfully moved from Malware Discussion to Home User Assistance

Cliff
McAfee Volunteer
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 5 of 9

Re: WannaCry - If a Windows host is unpatched and accesses other Windows hosts which are patched what are the risks?

I have created a Request to the Labs. The Ticket number is as follows Ticket #: AM000962 - Customer needs assistance

Cliff
McAfee Volunteer
Highlighted
McAfee Employee dmeier
McAfee Employee
Report Inappropriate Content
Message 6 of 9

Re: WannaCry - If a Windows host is unpatched and accesses other Windows hosts which are patched what are the risks?

For 1 and 2: Yes if the server shares any folder and those are mounted as local drives on the infected machine. WannaCry will infect files on any locally mounted disk including network shares. It will also copy itself to these folders, so if someone on another machine with access to these shares click on them by mistake they might get infected too.

3: yes, they can get infected as wannacry will attempt to exploit machines on the local network so anyone connected to the same wifi hotspot (hence connected to same network) could get exploited and infected.

Hope that helps,

- David

Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 7 of 9

Re: WannaCry - If a Windows host is unpatched and accesses other Windows hosts which are patched what are the risks?

Thank you David

Cliff
McAfee Volunteer
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 8 of 9

Re: WannaCry - If a Windows host is unpatched and accesses other Windows hosts which are patched what are the risks?

You may find this correspondence I just received most informative also;

Hi Cliff,

The answer to all 3 scenarios is Yes. The malware will attempt to spread to remote unpatched machines via the MS17-010 SMB vulnerability. It will encrypt data files on network shares and removable drives in addition to the local disk of the infected machine, and will also attempt to propagate to machines locally.

We have a Threat Advisory available that describes the behavior of the malware, including the following propagation information: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27077/en_US...

The malware spreads by exploiting shares and uses the EternalBlue (MS17-010 Echo Response - SMB vulnerability) vulnerability. The authors have utilized publicly available exploit code and embedded it as a part of their dropper. The malware, on execution, connects to the IPC$ tree and attempts a transaction on FID 0, triggers the vulnerability, and then exploits it. During replication, we observed that it generates a random set of IP addresses for the purposes of propagation. These IPs are not restricted to internal IPs.

We found that the main dropper malware generates random IP addresses, not limited to the local network. This fact means the malware can spread not only to other machines in the same network, but also across the Internet if they allow NetBIOS packets from outside networks.

The sub dropper infects files with specific extensions on the local machine, any removable drive connected to it, and any network share mounted locally. It then attempts to find machines on the local network via NetBios broadcast messages and Master Browser queries. Once a machine is found, the malware connects to the IPC$ default share and attempts to log in. If it is successful, it tries to list all available shares and will attempt to infect them It does so by copying itself to the remote share first, then encrypting all files with specific extensions it can find there.

Regards,

Nick

Cliff
McAfee Volunteer
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 9 of 9

Re: WannaCry - If a Windows host is unpatched and accesses other Windows hosts which are patched what are the risks?

Do you feel that your concerns have been addressed?

Cliff
McAfee Volunteer

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community