What if the good hackers (white hat) or security companies started to create viruses for the good? Viruses that fixed your computer from getting hacked. Would you mind if a virus broke into your computer and fixed the computer before the bad guy broke in?
May 2017, a virus called WannaCry did massive damage all over the world. It spread very rapidly by exploiting SMBv1 protocol on Microsoft Windows Operating Systems, exploit named EternalBlue. Microsoft quickly came out with a patch for Windows XP and newer operating systems. 4 months later (September 2017), there are still thousands if not millions of computers who have not patched and are vulnerable to this virus.
Recently I did a presentation using Metasploit to break into my own vulnerable computer using the EternalBlue exploit module. I first showed exploit attempt against an unpatched Windows XP computer and it blue screened (see figure 1 below), then I showed using the exploit on an unpatched Windows 7 computer. I was able to show some of the cool things I could do after breaking into computer such as viewing webcam, obtaining passwords, desktop screenshots, maintain persistence, start keylogger, etc. These are all cool and easy post-exploit tools, but isn’t something very useful unless you are on a Red Team, a professional penetration tester, or just a bad guy.
This kind of gave me the idea of creating a program that would break into computers and then patch the computer preventing anybody else from accessing. I named it “WannaThankYou Virus”. The virus was quickly written and was strictly coded for a specific OS and patch level. It does not have any error checking, patch level checking and etc., it was just for testing purposes. I tested the “WannaThankYou virus” against one of my own computers in a controlled environment. It took approximately 15 minutes to upload the relevant Microsoft Windows patch, install the patch and then restart the computer. Next, I verified success by trying to break in again and I am no longer able to do that.
I didn’t fully script it out for all OS versions and patch levels but it’s something security experts might consider in the future. If there was a Metasploit module, payload option, or post-exploit module to fix/patch computer then it might be another use-case for businesses to purchase Metasploit licenses – Just an idea.
A few concerns:
- Ethical Reasons – We are talking about breaking into a computer which you do not have permission to. You might have good intent, but it is still breaking in without permission.
- Restart or unexpected impact – The Microsoft Windows Patch for the WannaCry related vulnerability requires computer to be restarted. Should you force a restart or let user do this? Some computers aren’t restarted for months depending on use or purpose. What if you force a restart of a MRI system or medical equipment attached to a human being? I would probably lean towards a popup message stating the computer will be restarted in X hours.
- Network Bandwidth use – The virus would use network bandwidth that you are likely not paying for, so again you are using resources without permission.
- Computer Resources – Computers have limited resources and are usually more limited the older they are. What if the user is writing a very important document and then the virus breaks in, installs patches and then the computer runs out of disk space. That user might lose all he/she has been working on for hours. Memory, CPU, Disk Space are some key resources to keep in mind. Thin Clients are a good example.
- Trust – how do you know if the “Good” virus didn’t also take some sensitive information from your computer? Can you really trust the author?
- Not applicable to all viruses – Not all viruses can be transformed into a good virus. This primarily refers to viruses that take advantage of an exploit AND obtains enough permissions to patch computer. If exploit only gives you normal user access then you would have to consider privilege escalation which is another bag of issues.
These are only a few to list. I would be very interested to hear your thoughts, feedback, opinions or concerns. Would you be happy or upset if you figured out your computer was broken into and patched from this virus? It might have saved you from being broken into by the bad virus.
Cyber Security is a big issue. I think there are issues with actually launching a “Good” virus or the “WannaThankyou virus”, so I am not pursing that or going to release any of my code, but I am curious if anybody thinks this could be something we see in the future.
- Apply Windows Patches (Windows XP and newer)
- Windows Security Updates are now rolled up monthly and most personal computers are already configured for automatic updates. If you are regularly receiving Windows Updates then you don’t have to worry about this specific threat.
- I understand there are instances for not being able to patch, such as unsupported operating system, vendor managed device that hasn’t approved these specific patches, thin clients without the room for any more patches, etc. In those cases, you might need to rely on other prevention steps or spend the money to upgrade or change vendors.
- Block SMB ports
- Most operating systems have a local windows firewall or your Antivirus program has a firewall. If you don’t share files or access file shares, then you can likely block the SMB ports without causing any issues.
- Windows 2000 and older does not have Windows Firewall. You can white list ports via Network TCP/IP configuration or rely on 3rd party local firewall.
- Maintain up to date Antivirus
- This will likely not prevent bluescreens on Windows XP operating systems but it will help prevent any malware being dropped on computer.
- Disable SMBv1
- Recommended to disable on any systems that don’t require legacy file transfer support.
- Network IPS
- For business cases, network IPS should prevent exploits and spread attempts. You might want to review related SMB/WannaCry events and ensure they are set to block. There have been some cases of low severity SMB related signatures identifying WannaCry infections but not set to block due to severity level.
- Network isolation will prevent exploit attempts.
- Disconnect from internet
- The most secure method!
Metasploit is one of the easiest methods to launch exploits. You should never use this for malicious purposes and should never use against computers you don’t have written and documented permission to exploit.
I used Metasploit module named “MS17_010_eternalblue” to launch exploit. I tested on Windows XP and Windows 7 operating system. To launch the Metasploit module against Windows XP, you must set the “VerifyArch” and “VerifyTarget” to “False”.
Windows XP example below:
Windows 7 example below with a Meterpreter session. GETUID shows I have SYSTEM access to computer after launching exploit.
All exploit testing was against my own personal computers in a controlled environment for educational purposes. The WannaThankYou virus was created for testing purposes only for a specific operating system version and patch level. I will not be releasing any code.
By Zachary Havins