Working mechanism of Eternalblue and its application in ransomworm
This provides incremental insights for cybersecurity researchers and practitioners by enabling better detection of ransomworms using Eternalblue.
The paper analyzes the Eternalblue exploit and its use in ransomworms like Wannacry, finding that the code remains largely unchanged when transplanted, which aids in detection through signatures.
After the leaking of exploit Eternalblue, some ransomworms utilizing this exploit have been developed to sweep over the world in recent years. Ransomworm is a global growing threat as it blocks users' access to their files unless a ransom is paid by victims. Wannacry and Notpetya are two of those ransomworms which are responsible for the loss of millions of dollar, from crippling U.K. national systems to shutting down a Honda Motor Company in Japan. Many dynamic analytic papers on Wannacry were published, however, static analytic papers about Wannacry were limited. Our aim is to present readers an systematic knowledge about exploit Eternalblue, from a high\textendash leveled semantic view to the code details. Specifically, the working mechanism of Eternalblue, the reverse engineering analysis of Eternalblue in Wannacry, and the comparison with the Metasploit's Eternalblue exploit are presented. The key finding of our analysis is that the code remains almost the same when Eternalblue is transplanted into Wannacry, which indicates its potential for signatures and thus detection.