NSA EternalBlue exploits live on with an endless infection loop

Unpatched computers are enabling NSA’s EternalBlue exploit to live on, with affected devices getting stuck in an endless infection cycle with new infections occurring at the kernel level as the previous ones are removed.

The vulnerable computers are typically running a cracked variant of a Windows operating system along with the older SMB1 protocol targeted by the EternalBlue exploit.

EternalBlue infections live on

“There are still significant numbers of repeatedly infected machines more than a year after the big WannaCry and Petya attacks,” said Mikel Echevarria-Lizarraga, senior virus analyst in the Avira Protection Lab. “Our research has linked this to Windows machines that haven’t been updated against the NSA Eternal Blue exploit and are an open target for malware.”

EternalBlue is an exploit first stockpiled by the American NSA and subsequently leaked by Shadow Brokers. It taps a vulnerability in Microsoft’s Server Message Block (SMB) protocol. Armed with this capability, it’s possible to arbitrarily run code on the targeted computer. Hackers seized this opportunity, weaponizing EternalBlue for the WannaCry and Petya ransomware attacks of 2017.

Users of cracked Windows installations are at risk

“We were researching the reasons behind a number of machines having repeated infections,” explained Mikel. “We’ve found that many of these serially infected machines were running activation cracks which means that they cannot or do not want to update Windows and install updates. It also means that they did not receive the March 2018 emergency patch from Microsoft for this vulnerability.” The Avira solution – and a solution independently suggested by Microsoft – is to turn off the SMB1 protocol entirely. “We decided to deactivate it on the machines that have the endless infection loop and where the related windows patches had not been installed,” he added.

Since the activation of this solution, Avira has uncovered around 300,000 computers with this problem, and the Avira Protection whatever is deactivating the vulnerable protocol on around 14,000 computers daily. “The strategy is working, points out Mikel: “Once the SMB1 protocol is deactivated, we don’t see the same machines affected again and again with this problem.”

Top infected countries mostly outside of North America and Europe

The Avira list of the top ten countries for serially infected machines is as follows:

  • Indonesia
  • Taiwan
  • Vietnam
  • Thailand
  • Egypt
  • Russia
  • China
  • Philippines
  • India
  • Turkey

The predominance of infected machines outside of North America and Europe roughly parallels studies from Statista on the use of unlicensed software. This study found unlicensed software rates averaging around 52 – 60% outside the United States and the European Union and fell to 16% and 28% respectively in these areas. Unlicensed software is usually unable to get the latest patches against vulnerabilities such as EternalBlue.

This post is also available in: GermanFrenchItalian

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.