Avira recognized a significant number of Infections in regard to the Exploit MS17-10 (Eternal Blue). The vulnerability will be resolved to have the latest Microsoft Security Patches installed. We advise generally having the latest security patches installed. We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand. This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. To learn more about the vulnerability, see Microsoft Security Bulletin MS17-010.

• Eternal Blue Patch
• Eternal Blue Download

For almost the past month, key computer systems serving the government of Baltimore, Md. have been held hostage by a ransomware strain known as “Robbinhood.” Media publications have cited sources saying the Robbinhood version that hit Baltimore city computers was powered by “Eternal Blue,” a hacking tool developed by the U.S. National Security Agency (NSA) and leaked online in 2017. But new analysis suggests that while Eternal Blue could have been used to spread the infection, the Robbinhood malware itself contains no traces of it.

On May 25, The New York Timescited unnamed security experts briefed on the attack who blamed the ransomware’s spread on the Eternal Blue exploit, which was linked to the global WannaCry ransomware outbreak in May 2017.

That story prompted a denial from the NSA that Eternal Blue was somehow used in the Baltimore attack. It also moved Baltimore City Council President Brandon Scott to write the Maryland governor asking for federal disaster assistance and reimbursement as a result.

But according to Joe Stewart, a seasoned malware analyst now consulting with security firm Armor, the malicious software used in the Baltimore attack does not contain any Eternal Blue exploit code. Stewart said he obtained a sample of the malware that he was able to confirm was connected to the Baltimore incident.

“We took a look at it and found a pretty vanilla ransomware binary,” Stewart said. “It doesn’t even have any means of spreading across networks on its own.”

Stewart said while it’s still possible that the Eternal Blue exploit was somehow used to propagate the Robbinhood ransomware, it’s not terribly likely. Stewart said in a typical breach that leads to a ransomware outbreak, the intruders will attempt to leverage a single infection and use it as a jumping-off point to compromise critical systems on the breached network that would allow the malware to be installed on a large number of systems simultaneously.

“It certainly wouldn’t be the go-to exploit if your objective was to identify critical systems and then only when you’re ready launch the attack so you can do it all at once,” Stewart said. “At this point, Eternal Blue is probably going to be detected by internal [security] systems, or the target might already be patched for it.”

It is not known who is behind the Baltimore ransomware attack, but Armor said it was confident that the bad actor(s) in this case were the same individual(s) using the now-suspended twitter account @Robihkjn (Robbinhood). Until it was suspended at around 3:00 p.m. ET today (June 3), the @Robihkjn account had been taunting the mayor of Baltimore and city council members, who have refused to pay the ransom demand of 13 bitcoin — approximately $100,000.

In several of those tweets, the Twitter account could be seen posting links to documents allegedly stolen from Baltimore city government systems, ostensibly to both prove that those behind the Twitter account were responsible for the attack, and possibly to suggest what may happen to more of those documents if the city refuses to pay up by the payment deadline set by the extortionists — currently June 7, 2019 (the attackers postponed that deadline once already).

Some of @robihkjn’s tweets taunting Baltimore city leaders over non-payment of the $100,000 ransomware demand. The tweets included links to images of documents allegedly stolen by the intruders.

Over the past few days, however, the tweets from @Robinhkjn have grown more frequent and profanity-laced, directed at Baltimore’s leaders. The account also began tagging dozens of reporters and news organizations on Twitter.

Stewart said the @Robinhkjn Twitter account may be part of an ongoing campaign by the attackers to promote their own Robbinhood ransomware-as-a-service offering. According to Armor’s analysis, Robbinhood comes with multiple HTML templates that can be used to substitute different variables of the ransom demand, such as the ransom amount and the .onion address that victims can use to negotiate with the extortionists or pay a ransom demand. Continue reading →

Based on the ransomware news of late, I am motivated to (1) check if SMB is running on my laptop and (2) confirm that I have the right patch. Full disclosure: I only started googling SMB today, motivated by the ransomware problem.

Eternal Blue Patch

For item (1), my laptop is the only computer on my WiFi LAN, and I don't recall explicitly enabling SMB, but that doesn't mean it's not running. My smartphone connects to a Microsoft Exchange Server emulator (Akrutosync) over my WiFi, but I don't know if the protocol has anything to do with SMB (probably not?). How can I check whether SMB is enabled?

For item (2) (which is what caused me to google SMB), I found https://technet.microsoft.com/en-us/library/security/ms17-010.aspx. I then searched for how to check which updates I have. I'm up-to-date, but still wanted to check for the presence of the specific patch from the past. However, none of the patches listed show up using codes that resemble the 'MS17-010' format in the above link. They are all listed by KB code, not the 4013389 in the above link. How do I go about checking for the patch?

Finally, even though this is not one of the two questions that I list above, is there a known vector by which the compromise can propagate to machine even if I have the patch? Would the answer be the same using my home WiFi vs. a public WiFi network, e.g., at a cafe, airport, hotel, or even a private WiFi network at a friend or relative's home? Note that I designate all WiFi networks as 'Public', including the one at home.

Eternal Blue Download

Thanks.