EternalGlue - Rewriting NotPetya for corporate use

Presented at 44CON 2019, Sept. 13, 2019, 3 p.m. (59 minutes).

NCC Group had a large corporate client that was interested in how their production network would be impacted if they had been hit by the NotPetya worm. Cedric and Aaron ended up reverse engineering NotPetya and building a custom version with all the ransomware/destructive capabilities pulled out, and plugged it inside new logic to limit how it spreads. This allowed client-defined parameters to dictate where it could propagate and also allowed infections to transmit telemetry information back to a central server to allow visibility into how and where it spread. After providing the client with the tool they went through a three-phase approach of ensuring that the simulated worm actually behaved as expected, with the final phase being them running it within their corporate production environment. This allowed them to observe how the real threat would’ve spread, highlighted some important mitigations already in place, as well as highlighting areas of their network they didn’t anticipate to be affected, etc. Cedric and Aaron will discuss the work involved in reverse engineering NotPetya, the logic introduced to ensure safe and controlled propagation, some of the technical hurdles encountered, basic AV bypassing required, the lab environment used for testing, etc. James will discuss his experience from the client’s perspective and what was involved in convincing such a large organization to get on board with running such a tool in a production environment. This opens up a new phase of development and tooling opportunity for the defense industry. It allows us to much more closely mimic realworld scenarios in a controlled fashion and allows different and arguably more realistic visibility into the effects of such realworld attacks, versus more traditional consulting approaches.

Presenters:

  • Aaron Adams - NCC Group
    Aaron works in NCC Group’s Exploit Development Group. He has been doing reverse engineering / exploit development / code review for 15+ years. For some reason he is particularly fond of heaps.
  • Cedric Halbronn - NCC Group
    Cedric (@saidelike) has joined NCC Group in 2015 and has been doing reverse engineering / exploit development for 10+ years. His current interests are memory corruption bugs in the Windows kernel, HP iLO, mobile devices, embedded devices, etc.
  • James Fisher
    James for the last 6 years has been responsible for defending a large global network against technically minded adversaries; prior to this he spent 11 years as a senior penetration tester, 6 of which as a CHECK team leader.

Links:

Similar Presentations: