New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

itman · May 22, 2017

Cutting_Edgetech said: ↑

Eset uses it's own packet filter driver, independent of Windows Firewall to monitor inbound, and outbound traffic unless this just recently changed.
Click to expand...

In ver. 10, Eset dropped the use of its network adapter mini-port filter and is now using the Windows Filtering Platform; something I am not currently 100% onboard with. Appears it was to take advantage of the new Win 10 security features such as AMSI that monitors script execution.

itman · May 22, 2017

A few more details on EternalRocks:

“First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages) TaskScheduler and SharpZLib from Internet, while dropping svchost.exe and taskhost.exe. Component svchost.exe is used for downloading, unpacking and running Tor from archive.torproject.org along with C&C (command and control) communication requesting further instructions,” Stampar notes.

The second-stage payload is downloaded only after a 24-hour period has passed, and is hidden as the taskhost.exe process. The payload drops the exploit pack shadowbrokers.zip, unpacks contained directories payloads/, configs/ and bins/, and then starts a random scan of opened 445 (SMB) ports on the Internet.

EternalRocks also runs contained exploits (inside directory bins/) and pushes the first stage malware through payloads (inside directory payloads/). Moreover, the running Tor process continues to wait for further instructions from the C&C.
Click to expand...

http://www.securityweek.com/eternalrocks-network-worm-leverages-7-nsa-hacking-tools

Also, this puppy exploits SMBv1 but also legitimately uses SMBv2 in the attack:

The vulnerability exploited by EternalBlue is in SMBv1, but the exploit uses SMBv2 for the shellcode, one of the researchers behind the port, who goes by the online handle of zerosum0x0, explains. The penetration tester also notes that the code is still a little rough, but that more work will be done to it.
Click to expand...

http://www.securityweek.com/nsas-eternalblue-exploit-fully-ported-metasploit

Cutting_Edgetech · May 22, 2017

itman said: ↑

In ver. 10, Eset dropped the use of its network adapter mini-port filter and is now using the Windows Filtering Platform; something I am not currently 100% onboard with. Appears it was to take advantage of the new Win 10 security features such as AMSI that monitors script execution.
Click to expand...

Thank you for letting me know! Now I know why I did not see the mini-port filter listed on my network adapter the last time I looked.

I may have to compare some other firewalls like Windows Firewall Controller, etc.. because the developer dedicates a lot of time to the firewall. It seems most developers are switching to Windows Filtering Platform so I think I should use which ever product is taking advantage of all the options Windows Filtering Platform has to offer. I'm not really sure how much time Eset puts into their firewall.

itman · May 23, 2017

Cutting_Edgetech said: ↑

I'm not really sure how much time Eset puts into their firewall.
Click to expand...

Security wise it is tops in protection especially with the IDS and botnet components.

Main criticism of the firewall is it is fairly low level as far as user features go. For example if outbound monitoring is enabled, you're going to get an alert on every connection attempt. This contrasts with for example, Symantec Norton's firewall that will auto create outbound rules for system and known safe processes.

Log in or Sign up

New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

itman Registered Member

itman Registered Member

Cutting_Edgetech Registered Member

itman Registered Member

Log in or Sign up

New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

itman Registered Member

itman Registered Member

Cutting_Edgetech Registered Member

itman Registered Member

Useful Searches