EternalBlue; Malware infection; NotPetya; Propagation characteristics; WannaCry; Digital infrastructures; Eternalblue; Malware attacks; Malwares; Notpetya; Propagation behavior; Propagation mechanism; Wannacry; Computer Networks and Communications; Software; Safety, Risk, Reliability and Quality
Abstract :
[en] Malware attacks pose a critical threat to digital infrastructures particularly given their potential for widespread and fast propagation. Mitigating them involves limiting their expansion, which requires a thorough understanding of their propagation mechanisms. However, few studies have been conducted on their propagation behaviors in large-scale networks. In this paper, we present the results of an empirical study focusing on the propagation strategy of WannaCry and NotPetya, two malware instances leveraging EternalBlue, an exploit developed by the NSA and stolen by The Shadow Brokers hacker group, which has been used to implement rapid spreading in some mal-ware instances. Our experiments qualify the speed of infection, epidemic behavior, and spreading strategies in a local network of 50 VMs. We have especially measured for WannyCry that (1) nearly 20% of infections are processed in less than 50 seconds, and (2) up to 16 hosts are infected in a 100-second period. Our results provide meaningful insights on malware propagation to support the design of effective countermeasures.
Disciplines :
Computer science
Author, co-author :
Nguyen, Do Duc Anh; IMT Atlantique, SOTERN - IRISA (UMR CNRS 6074), France
Alain, Pierre; Université de Rennes, SOTERN - IRISA (UMR CNRS 6074), France
FRANCOIS, Jérôme ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SEDAN ; Inria Nancy Grand Est, France
How Fast Does Malware Leveraging EternalBlue Propagate? The case of WannaCry and NotPetya
Publication date :
2024
Event name :
2024 IEEE 10th International Conference on Network Softwarization (NetSoft) - SecSoft 2024 - 6th International Workshop on Cyber-Security in Software-defined and Virtualized Infrastructures
Event place :
Saint Louis, Usa
Event date :
24-06-2024 => 28-06-2024
Audience :
International
Main work title :
2024 IEEE 10th International Conference on Network Softwarization, NetSoft 2024
Publisher :
Institute of Electrical and Electronics Engineers Inc.
This work has been partially supported by the French National Research Agency under the France 2030 label (Superviz ANR-22-PECY-0008). The views reflected herein do not necessarily reflect the opinion of the French government.
S. S. Chakkaravarthy et al., "A survey on malware analysis and mitigation techniques, " Computer Science Review, vol. 32, pp. 1-23, 2019.
Z. Liu et al., "Working mechanism of eternalblue and its application in ransomworm, " in International Symposium on Cyberspace Safety and Security. Springer, 2022, pp. 178-191.
(2016) Server message block overview. [Online]. Available: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831795(v=ws.11)
(2023) Microsoft security bulletin ms17-010-critical. [Online]. Available: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
(2021) Windows kernel-mode hal library. [Online]. Available: https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/windows-kernel-mode-hal-library
K. Da-Yu, S.-C. Hsiao, and T. Raylin, "Analyzing wannacry ransomware considering the weapons and exploits, " in ICACT. IEEE, 2019, pp. 1098-1107.
K. Sood and S. Hurley, "Notpetya technical analysis part ii: Further findings and potential for mbr recovery, " CrowdStrike Blog, 2017.
D. Moore, C. Shannon, and K. Claffy, "Code-red: A case study on the spread and victims of an internet worm, " in Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, 2002, pp. 273-284.
C. C. Zou, W. Gong, and D. Towsley, "Code red worm propagation modeling and analysis, " in ACM CCS, 2002.
Y. Wang, S. Wen, Y. Xiang, and W. Zhou, "Modeling the propagation of worms in networks: A survey, " IEEE Communications Surveys Tutorials, vol. 16, no. 2, pp. 942-960, 2014.
C. C. Zou et al., "Modeling and simulation study of the propagation and defense of internet e-mail worms, " IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 2, pp. 105-118, 2007.
A. Zhaikhan, M. A. Kishk, H. ElSawy, and M.-S. Alouini, "Safeguarding the iot from malware epidemics: A percolation theory approach, " IEEE Internet of Things Journal, vol. 8, no. 7, pp. 6039-6052, 2021.
H. K. C. Hong Guo and K. Kelley, "Impact of network structure on malware propagation: A growth curve perspective, " Journal of Management Information Systems, vol. 33, no. 1, pp. 296-325, 2016.
J. Jones, "Ransomware analysis and defense-wannacry and the win32 environment, " IJISS, vol. 6, no. 4, pp. 57-69, 2017.
A. Zimba and M. Mulenga, "A dive into the deep: Demystifying wannacry crypto ransomware network attacks via digital forensics, " IJITS, vol. 10, no. 2, pp. 57-68, 2018.
M. Akbanov, V. G. Vassilakis, and M. D. Logothetis, "Wannacry ransomware: Analysis of infection, persistence, recovery prevention and propagation mechanisms, " JTIT, no. 1, pp. 113-124, 2019.
K. Sood and S. Hurley, "Notpetya technical analysis-a triple threat: File encryption, mft encryption, credential theft, " CrowdStrike Blog, 2017.
A. Chernikova, N. Gozzi, N. Perra, S. Boboila, T. Eliassi-Rad, and A. Oprea, "Modeling self-propagating malware with epidemiological models, " Appl. Netw. Sci., vol. 8, no. 1, p. 52, 2023.
