What to expect from your Anti-Virus in times of WannaCry, EternalBlue and others (to come)?

Because we are an IT security company, we wanted to estimate the impact of EternalBlue on one of our Windows machines where we removed the Microsoft patch. We need to know the impact and the defense mechanisms in place when a Windows machine is not patched. So, we launched the exploit and to our big surprise we got full remote access even with our anti-virus up to date. This was so scaring that we decided to research the root cause and installed several anti-virus to exploit those as well.

Conclusions of our security research:
The EternalBlue exploit is not to be underestimated because no user interaction is needed to compromise a system. Many malicious hackers will use this exploit to attack systems because it is so easy and successful.
When new malware spreads silently by just exploiting machines and then wait for further instructions, there will be a lot more infections then that we have seen in the last week. A new variant is already in the wild, UIWIX, waiting 24 hours to start malicious activity.

Traditional anti-virus does not detect exploits or in memory malware

It is almost impossible to protect against new malware that will use the EternalBlue exploit to propagate except when using next-generation endpoint protection with memory scanning capabilities and exploit detection. Traditional anti-virus without premium features or configured by default will not block the EternalBlue exploit.

So not only was the exploit not detected nor blocked, also the Meterpreter hacking tool that runs in memory was not detected nor blocked by traditional anti-virus. Although for specialists among us this could make sense (exploit = not a virus), we are convinced the overall user population is NOT aware of this but assume they are properly protected. We advise not to assume, and to always do the test or consult a specialist.

Patch operating systems and software as soon as possible

An exploit will only work when the software vulnerability is not patched. The timeframe of vulnerability between a 0-day exploit and a patch available and installed is always several days or weeks. In this timeframe malware that uses the exploit to infect machines will always be effective unless your endpoint protection is able to detect exploits by default.

Patch, patch, patch

It is necessary and essential for home-users and companies to patch their Windows systems with frequent updates, but even that will not be enough. Next generation threat protection solutions are needed to detect and act on such exploitation attempts to be fully safe. However, we must remember that no computer system is impenetrable, so we must think ahead to stay safe.
The WannaCry malware was blocked by most anti-malware solutions with latest virus definitions, but not all of them. That means it is not only necessary to patch our computer-systems but also evaluate the anti-virus products we use to protect ourselves towards attacks.

Be vigilant about new exploit techniques and 0-days leaked by Shadow Brokers.

We are entering an era where criminals can get their hands on sophisticated attack tools that were developed by huge funded intelligence agencies. We rely on US companies to provide patches for operating systems that are very easily attacked by stolen attack tools and we have no idea about what these criminals have stolen. The Shadow Brokers talk about new 0-day exploits for any operating system that is out there.

Download the whitepaper here.

Add comment