Update June 28, 2017:
As many readers have heard, in recent days hundreds of thousands of computer systems and millions of users have been affected by a ransomware attack known as “WannaCrypt” or “WannaCry.” Exploiting a flaw in the Microsoft Windows operating system, the malware locked users out of their system and demanded a Bitcoin payment to regain access. While the worst of the storm seems to have past, clearing up the debris in its wake – such as the possible return of the malware in a modified form – could affect users and lock them out of their systems and data. It is critical that users and organizations identify and patch machines running vulnerable versions of Microsoft Windows. This post will provide guidance on how to use Snow’s software to identify vulnerable systems.
The cyber attack involving the Wannacry ransomware worm, which broke out on May 12, exploited a weakness in the Windows platform – a vulnerability that Microsoft published patches for earlier in March 2017[i]. Once a computer is infected, the worm exploits an old communication protocol, SMBv1, to spread itself to other machines connected to the same network.
Even organizations with established security update procedures in place are at risk, as machines not connected to the corporate network for some time may not be patched. The patch is called MS17-010, which Microsoft has delivered for all supported platforms including Vista, as well as a free-of-charge patch for the legacy platform XP (which some organizations are still using and paying for support).
Once the worm gets into a machine, it encrypts its contents, effectively rendering the computer useless. As a piece of ransomware, the Wannacry worm offers a decryption possibility in exchange for payment in bitcoins. There is no guarantee that an infected computer will be restored following payment, and neither will payment protect from future threats posed by the criminals behind this cyber attack.
The effect of the worm has been disastrous. Enterprises will pay the price in loss of data, downtime, and stolen IPR, hospitals have been forced to turn patients away, trains were delayed and many organizations’ communication systems were affected.
While the spread of the worm has been stopped, it may still reside on computers in your network, potentially exposing you to risk. Many organizations have removed the threat from their environments, but to help our customers gain insight into the reach of Microsoft patches and the status of the SMBv1 protocol, Snow has developed a specialized script.
Snow’s specialized script identifies the reach of the Microsoft patch and the status of the SMB protocol in your enterprise. The solution is available on-demand to our customers using Snow Inventory, Software Recognition Service and Snow License Manager. As our products communicate with all inventoried machines over the internet, our solution overcomes the issue of detecting the status of remote machines.
Snow’s specialized inventory script detects:
- What machines on your network have been patched
- What machines have disabled the SMBv1 communication protocol
- If a computer has been inventoried by the specialized script or not.
The solution is an encrypted PowerShell script, which should be deployed in the same way as other Snow scripts. The script is encrypted, due to the elevated access level of the Snow inventory agent, thus protecting the script (and your environment) from manipulation at runtime. When the inventory agent runs on a computer, it will detect the encrypted script, and carries out the following:
1.Matches the patches installed on the machine against the list provided by Microsoft – each versions of Windows requires a separate patch, so several patches maybe found on a machine
2.Determines if the SMBv1 protocol is disabled.
A true on either of these tests will create a software entry in the inventory data for that machine. Software Recognition Service interprets this information as an application, which can be viewed in the applications list in Snow License Manager.
The specialized script scan-ms17-010.snowps1 is available on-demand for Snow customers using Snow License Manager, Inventory, and Software Recognition Service by logging a request via the Snow Support page or by emailing email@example.com. Local support telephone numbers are also available on Snow’s Support page.
For Inventory 5 customers, deploy the script to the machines in your environment by creating a new update package in Inventory Console/ SnowMACC, with the specialized script (shown in Figure 1).
Figure 1: Create update package
For Inventory 3 customers, Snow support can provide you with this script Snow Support page.
Once the script has been deployed perform an inventory scan on your estate.
If the script has been executed on a machine, the following information will be added to the inventory scan:
<CustomRegKey Data="1.0" Name="Version" ModifiedTime="yyyy-mm-dd hh:mm_ss" RegKey="HKEY_LOCAL_MACHINE\SOFTWARE\Snow Software\DetectMS17010" Type="1"/>
If any of the relevant patches are found, the following information will be added to the inventory scan:
<Software InstallDate="yyyy-mm-dd hh:mm_ss " Manufacturer="Microsoft" Name="MS17-010 Patch Installed" PathName="(n/a)" Version="KB4012212" IsLocal="0" IsShortcut="0" IsSnow="0" UninstallString="" IsMSI="0" FileSize="0" FileDateTime=" yyyy-mm-dd hh:mm_ss" FullVersion="KB4012212" LanguageName="(n/a)"/>
If the SMB protocol is disabled, the following information will be added to the inventory scan:
<Software InstallDate="yyyy-mm-dd hh:mm_ss " Manufacturer="Microsoft" Name="MS17-010 SMBv1 Disabled" PathName="(n/a)" Version="0" IsLocal="0" IsShortcut="0" IsSnow="0" UninstallString="" IsMSI="0" FileSize="0" FileDateTime=" yyyy-mm-dd hh:mm_ss" FullVersion="0" LanguageName="(n/a)"/>
By creating an application in the software recognition library matching the above software entries, Snow License Manager can display the application on detail pages as well as through the standard application reports, highlighting computers that have the patch installed, or where the SMB protocol disabled.
In Snow Inventory, you can create a view listing the devices with the MS17-010 application (shown in Figure 2), by selecting the columns: Device\Computer name, Software\Software name, Software\Software version, and Operating system\Name, and by searching for “MS17-010” in a software filter to identify which computers have been patched.
Figure 2: List of devices with software rows for MS17-010
For more help
All Snow customers affected by this attack and any others interested in how Snow helps customers maintain and optimize their IT estate are encourage to reach out to us for additional information.
Important note - whilst this article recommends a fix for the current strain of the Wannacry ransomware, it is no guarantee of protection from future malware.
Cyber criminals infiltrate a network using multiple attack vectors. For this reason, Snow Software recommends the use of a fully-fledged security solution to complement the OS patching best practice described above.