News
Introducing the WannaCry application
May 2017 by Marc Jacob
After our blog post on Sunday regarding the WannaCry malware breakout, LogPoint announced our turn-key application to detect and respond to WannaCry.
The application works on LogPoint and LogPoint Free, works for all types of devices (firewalls, content security appliances, file-shares etc) and provides a simple effective tool to monitor and contain any further spread of the malware.
In addition, as research moves forward with different samples of the WannaCry, we can provide easy and fast updates to the application. For more information about the application and the way forward, have a look at our WannaCry/Ransomware page.
The technical details of the application are covered below:
o Monitoring the network for unusual connections to the SMB services between workstations. As the worm propagates by infecting and spreading, we will see unusual access patterns; clients should only connect to servers – in this case, we will see clients connecting to other clients.
oThe malware has a very easy to spot pattern: encrypting files. Detecting when this happens is carried out through the use of the LogPoint agent. By monitoring for WCRY extensions we can easily detect if an infection takes place.
o The malware exploits the vulnerability identified in MS17-010. This vulnerability is detected through Qualys and by importing all Qualys scans in LogPoint, alerts will fire immediately as vulnerable hosts are discovered by Qualys.
o Certain variations of the worm will attempt to connect to a domain, which is now sinkholed. This connection is easy to detect and our analytics application will alert the second this takes place.
