Euro Security Watch with Mathew J. Schwartz

Anti-Malware , Ransomware , Technology

Uiwix Ransomware Follows WannaCry's SMB-Targeting Lead Good News: Uiwix - Like Monero-Mining Adylkuzz Malware - Poses Little Threat
Uiwix Ransomware Follows WannaCry's SMB-Targeting Lead
Uiwix's ransom note. (Source: Trend Micro)

Life after WannaCry: Already, other cybercrime gangs appear to be jumping on the Windows server message block targeting bandwagon, including the operators behind Uiwix ransomware.

See Also: Defend Against Spear Phishing: Encouraging Developments Gaining Momentum

Thankfully, however, unlike the SMB-targeting WannaCry ransomware worm that took the world by storm beginning May 12, Uiwix poses very little threat, security researchers report.

"Uiwix is executed in memory after exploiting EternalBlue." 

While some early reports suggested that Uiwix was also spreading as a worm to automatically infect endpoints, those reports have now been dismissed by British security researcher Kevin Beaumont, who recently found a sample in the wild via a honeypot.

Instead, whoever is behind Uiwix appears to be manually scanning for systems that have the SMB flaw, then targeting them in an attempt to exploit the flaw and install the ransomware. According to a Shodan search, there are nearly 400,00 such systems - if not more - accessible via the internet.

Nasty SMB Flaw

Shodan scan of open SMB ports on Windows machines, as seen on May 18.

Brief recap: A patch for the SMB flaw was released in March by Microsoft via its MS17-010 security updates of its supported systems, as well as May 12 for Windows XP, 2003 and 8.

A related attack tool built by the Equation Group - likely the National Security Agency - designed to exploit the SMB flaw was released April 14 by the Shadow Brokers, and called EternalBlue. The WannaCry outbreak targeted EternalBlue, as well as an Equation Group backdoor called DoublePulsar that was then installed on some infected endpoints, to spread (see Teardown: WannaCry Ransomware).

Since the attack tools were dumped, the number of endpoints infected with just the DoublePulsar backdoor software - not just by the Equation Group, but also enterprising attackers - apparently has reached more than 400,000.

Uiwix Goes Fileless

Unlike WannaCry, Uiwix appears to be fileless malware, security firm Trend Micro says in a blog post. "Uiwix is executed in memory after exploiting EternalBlue," it says. "Fileless infections don't entail writing actual files/components to the computer's disks, which greatly reduces its footprint and in turn makes detection trickier."

The ransomware is also designed to operate more cautiously than WannaCry. "Uiwix is also stealthier, opting to terminate itself if it detects the presence of a virtual machine (VM) or sandbox," Trend Micro says. "Based on UIWIX's code strings, it appears to have routines capable of gathering the infected system's browser login, File Transfer Protocol (FTP), email, and messenger credentials."

Teardown: WannaCry versus Uiwix

Source: Trend Micro

Target: EternalBlue

WannaCry and Uiwix aren't the only pieces of malicious code that have been found in the wild targeting the MS17-10 - EternalBlue - vulnerability.

Security researchers report that cryptocurrency-mining malware called Adylkuzz also began exploiting the SMB flaw, apparently in late April - before WannaCry - to mine for virtual currency called monero. And there are signs that North Korea may be tied to both the WannaCry and Adylkuzz campaigns, although that has not been proven (see Is WannaCry the First Nation-State Ransomware?).

As with Uiwix, however, this Adylkuzz campaign - designed to install a cryptocurrency miner called cpuminer - poses little risk, security firm Symantec says in a blog post.

"Due to the effectiveness of [intrusion prevention systems] in proactively blocking infections, Symantec is observing low infections of Adylkuzz," the security firm reports.

Out of more than 44 million attempts to exploit the MS17-10 flaw against systems running Symantec software, fewer than 200 endpoints have been infected by Adylkuzz, the company says.

Lock It Down

The takeaway: Don't obsess over ransomware gangs attempting to jump on the WannaCry bandwagon. Instead, "focus on patching," Beaumont says via Twitter.

That's also the top recommendation from the U.S. Computer Emergency Response Team, part of the Department of Homeland Security, which has issued guidance for blocking WannaCry, or any other malicious code that targets the SMB flaw.

Check every Windows system in the enterprise to ensure that it isn't using SMBv1, which is enabled by default, even in Windows 10 and Windows Server 2016.

While the EternalBlue exploit - which dates from 2013 - didn't exploit the latest Windows operating systems, a security researcher has now ported EternalBlue so it will work on any 64-bit Windows 8 and Windows Server 2012 systems that have SMB enabled and not blocked by a firewall.

Of course, it's likely that whoever built EternalBlue - believed to the NSA - and anyone else who may have independently discovered the flaw and also been using it had already updated their attack tools to do the same.

So if you haven't started already, get patching.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network