WannaCry: the rush to blame XP masked bigger problems

As the world reeled from WannaCry earlier this month, many fingers were pointed at organizations still using Windows XP. As we now know, the contagion actually infected Windows 7 systems the most.

It’s still a bad idea to use XP. It’s no longer supported, has a long history of being exploited, and the latest versions of Windows are far more secure. But making XP the scapegoat distracted security pros from other aspects of the attack that needed to be understood.

SophosLabs continues to investigate why WannaCry couldn’t remotely infect XP nearly as effectively as Windows 7  – if it could at all – and whether the mechanics of the outbreak were the deliberate actions of an attacker or merely a case of buggy code run amok. What they know so far is described below.

Regardless of why Windows 7 was the easier conduit, this much is certain:

  • Windows 7 computers were infected because they hadn’t been patched against the Windows SMB vulnerability that WannaCry exploited.
  • Like countless attacks before it, WannaCry had no trouble spreading because so many unpatched systems had their port 445 open to the outside.

Failure to patch – again

WannaCry spread because of a vulnerability in Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. It’s the same type of old-school vulnerability that allowed worms like Slammer and Conficker to spread around the globe more than a decade ago.

Microsoft had addressed the issue in its MS17-010 bulletin in March, but companies using older, no-longer-supported versions of the operating system wouldn’t have seen it unless they were signed up for custom support, ie Microsoft’s special extended – and paid-for – support.

Microsoft has begun phasing out Windows 7, though it continues to offer limited extended support options for business customers. Windows 7 Service Pack 1 will expire in two and a half years’ time, on January 14 2020. Despite that, Windows 7 remains in heavy use and, as the WannaCry outbreak demonstrated, many of those systems are not getting patched in a timely manner.

Unpatched Windows 7 + port 445 = trouble

During its investigation, SophosLabs has confirmed that systems most at risk in the attack had been running unpatched versions of SMB on Windows 7.

Take all those unpatched computers and leave them with port 445 open on a public or even private network and you’re asking for trouble. In that scenario, once a single device is compromised, the attack can spread like wildfire across your internal network.

That’s why the usual advice is to not have open 445 ports looking to the outside.

XP was a poor conduit

Though the lack of patching and exposure of port 445 were easily identified problems, the reasons why Windows 7 was an easier target than XP remain somewhat clouded.

During testing, SophosLabs found that XP wasn’t the effective conduit for infection via the EternalBlue SMB exploit that many thought it was, while Windows 7 was easily infected. The research showed that WannaCry ransomware can affect XP computers – but not via the SMB worm mechanism, which was the major propagation vector for WannaCry.

The screenshot below shows the attack (at the network level, in Wireshark) going against an XP target. You can see that very early on, the servers respond with an error and it fails to proceed any further:

Here is the same attack on Windows 7. Note that the same error does not appear in this case:

The Windows 7 infection then continues to an actual payload state:

Various security companies arrived at a similar conclusion, putting the infection rate among Windows 7 computers at between 65% and 95%. SophosLabs puts that number even higher: our analysis of endpoint data for the three days that followed the outbreak shows that Windows 7 accounted for nearly 98% of infected computers.

That percentage came as a surprise to some, since XP was almost universally cited as the exploited operating system. Microsoft even took the highly unusual step of making a security update for platforms in custom support (such as Windows XP) available to everyone.

The tiny amount of XP computers reporting WannaCry detections were likely test machines or PCs infected through a different vector.

A difference of SMB drivers?

Early in the outbreak, researchers determined that both SMBv1 and SMBv2 packets were used in the attack. Since both versions of SMB were in play, it could be theorized that Windows XP proved hard to infect because it does not include SMBv2, which was introduced in Windows Vista.

But so far, it’s hard to reach that conclusion with 100% confidence.

Lessons learned

For organizations still running Windows 7 and other versions of the OS, recent events highlight an important lesson that continues to go unheard:  that organizations must keep a close watch for patch updates and deploy the fixes immediately.

Some will criticize organizations that are slow to patch or use the latest Windows versions. It can be especially easy to blame the victim. But slow patching or the use of outdated versions of Windows isn’t always the result of laziness or apathy.

It’s long been the case that IT shops hold back some patches because they need to tweak their systems for compatibility. Otherwise, they risk deploying a patch that breaks other programs. Meanwhile, some organizations have continued to use old versions of Windows because:

  • They lack the financial and human resources to upgrade.
  • Their legacy systems simply aren’t yet equipped to work with the likes of, say, Windows 10.

There are other reasons, but those are two big challenges.

But as Sophos CTO Joe Levy noted shortly after the outbreak, there are cases when a patch shouldn’t be viewed as optional, no matter what the company’s patching policy – like when the vulnerabilities fall into the category of common-mode failure.

Patch often and block port 445

The bottom line: if you use older versions of Windows, you’re at greater risk for attacks like these.

The best advice is still for organizations to keep their patching up to date and use current versions of Windows. Or, if you must continue using older versions for compatibility reasons, sign up for Microsoft custom support so you continue to receive security updates.

Just as importantly, for the reasons stated above, organizations need to set their firewalls to block access to port 445.