Followed by Wanna Cry in the network burst Blue Doom

Followed by Wanna Cry in the network burst Blue Doom

The charitable marathon of ShadowBrokers sinks continues to bear fruit. Following WannaCry, another worm broke into the network, pummeled with exploits. One sample wandered to the Croats from the local CERT and got the name EternalRocks, the second one was caught by Heimdal Security and was named no less pathetic – BlueDoom. On the target machine, they came in exactly the same way as WannaCry, via port 445.

  • The new worm is interested in a large number of exploits integrated into it: it uses EternalBlue, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch, SMBTouch, and DoublePulsar – all thanks to the kindness of ShadowBrokers.

Having infected the machine, EternalRocks does nothing for 24 hours (apparently, in the case of a launch in the sandbox – the authors believe that the researchers will not wait so long for the caught individual to jerk), and then knocks on the management server via the Tor network. But nothing particularly harmful, in addition to the exploit pack for further distribution, the server to him so never sent, then pretty puzzled researchers.

The author himself revealed the secret by posting a message on the command server that there is nothing to be afraid of, his worm is not a ransomware, but a very useful self-propelled “firewall” that closes port 445 for its victims. At the same time, the author stopped the campaign by disabling the exploit pack on the server. It seems that he did not like the researchers’ close attention. And what was he waiting for? People do not really like it when they try to make them happy by force.

By the way, in the week there were also full of hope messages that QuarksLab learned to calculate the encryption key from the simple number used to generate it. In practice, the sense of this discovery is not very much. Yes, the key recovery utility sometimes works, but only because the CryptReleaseContext on Windows XP incorrectly cleans the memory. On more modern OSes this function flows as it should, and Windows XP still crashes our hero.

Siemens and Bayer prepare antiWannaCry patches for medical equipment

News. It would seem, what’s the sensation here – patches are always good. However, it turned out to be interesting: it turns out that a lot of medical equipment works Windows, it is connected to the Internet and looks to the Internet on SMB. It is convenient, apparently, for maintenance. Whether it is a little, to throw new firmware, logs to look or still that. And until this time, this approach seemed safe to vendors. The MRI device will not open suspicious attachments in the letter, and it will not get to the left sites.

  • But WannaCry refers to a half-forgotten breed of malware – it’s an online worm that uses a network exploit to spread, and it’s easy enough to listen to 445 to get infected. However, no one seems to have reported that the fashionable Trojan somewhere has the disabled medical equipment, but, given the technology of its spread, it is simply inevitable. Especially since we know how reluctantly and slowly IoT vendors release patches. So, if they moved – there was a reason and a serious reason.

Meanwhile, data leakage from medical institutions has become a trend of the last year, and this is a rather painful topic. But these were just leaks. Now, imagine, what can turn into a sudden failure of the whole complex of medical equipment in the hospital? Now, in a decent modern medical institution without a special apparatus, even tablets will not be given out. In general, the threat to human life is evident.

The vector of attack through subtitles is developed

News. Study. Let’s take a break from WannaCry and see what else is happening in the world. Check Point Software revealed a new original vector of attack on users. It would seem, what can be a dangerous file with subtitles for the movie? It’s the same text! But no, almost all popular video players and media centers have vulnerabilities that allow you to run arbitrary code on the system, slipping properly designed subtitles.

The vector of attacks

This is another confirmation of the thesis that there are no vulnerabilities where they are not sought. It was worth searching – and in one VLC only four found them. Experts rolled out a small list of leaky applications suitable for this type of attack. Among them: VLC, Kodi, Stremio and Popcorn Time, are mentioned and Smart TV. In all cases, the attacker gains full control over the victim system.

The most offensive is that even those who never watch films with subtitles take risks. Many video players automatically search for and load subtitles to the movie being played, it is also not difficult to attach a malicious file to the distribution on the torrent. The company does not provide technical details due to the scale of the problem – too much vulnerable software, too many users are at risk (VLC alone has more than 170 million downloads). However, all the players mentioned in the news have already received patches, so update.


Virus-“satellite”: when you start an.EXE file, it creates a “satellite” file that has the name of the executable file and a.COM extension (for example, XCOPY.EXE – XCOPY.COM), and writes its copy to it. When you run any file from the command line, you first look for.COM files, and only then -.EXE. As a result, the.COM file containing the virus will be launched first. The virus, in turn, installs its TSR copy and runs the the.EXE file.

Implements a rather original stealth mechanism: it sets the hidden attribute on the satellite file, hooks int 21h and processes the FindNext function so that files with the hidden attribute are not output to the screen. As a result, COM files containing the body of the virus are not visible when using the DIR command, nor when working in Norton Commander.

1 thought on “Followed by Wanna Cry in the network burst Blue Doom

  1. From everything I’ve read, the spread of WannaCry has been via SMB so when you’re talking about machines behind firewalls being impacted, it implies ports 139 and 445 being open and at-risk hosts listening to inbound connections.
    And I think the Blue Doom or whatever they call it totally different type of malware.

Comments are closed.