While Windows 10 avoided infection by WannaCry last month, security researchers at RiskSense have shown how the malware could be ported to the OS and infect it.
WannaCry uses EternalBlue, an exploit from the NSA stolen last summer and published this year. The researchers said that EternalBlue was “one of the most complex exploits ever written.”
They added that this exploit is “highly dangerous in that it can provide instant, remote, and unauthenticated access to almost any unpatched Microsoft Windows system, which is one of the most widely used operating systems in existence for both the home and business world.”
Researchers at RiskSense created a Metasploit module that could evade security features and mitigations deployed by Microsoft in its latest operating system, including Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
Other changes were also made. Researchers removed the DoublePulsar backdoor, which according to researcher were not necessary for the exploit to work. As this was deleted, the port was developed to install an Asynchronous Procedure Call (APC) payload, which allowed execution without a backdoor.
“By removing superfluous fragments in network packets, our research makes it possible to detect all potential future variants of the exploit before a stripped-down version is used in the wild. We also substantiated the premise that the original exploit’s DOUBLEPULSAR payload is a red herring for defenders to focus on, as stealthier payload mechanism can be crafted,” said the researchers in a paper.
The researchers said that the idea behind this was to help in prevent future attacks, rather than give hackers information on how to compromise Windows 10.
“We’ve omitted certain details of the exploit chain that would only be useful to attackers and not so much for building defences. The research is for the white-hat information security industry in order to increase the understanding and awareness of these exploits so that new techniques can be developed that prevent this and future attacks. This helps defenders better understand the exploit chain so that they can build defences for the exploit rather than the payload,” the researchers added.
The ported exploit was created to work on Windows 10 x64 version 1511 (November Update). This version is still supported by Microsoft.
This article originally appeared at scmagazineuk.com