How to detect the presence of Wannacry Ransomware and SMBv1 servers on your network.

Thanks for the post. Should Network Traffic Analyzer be able to show SMB1 traffic?

This makes another good case for network monitoring, file monitoring, etc.

NetFlow and NBAR2 can detect SMB on port 445, but they cannot differentiate between SMBv1, v2, or v3. Safe to say that by the time you can run a report in NTA to look for the traffic, it would be too late anyway

Also, check out this article written by a malware analyst who managed to stop the spread of Wannacry: https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Thanks for the response. Yes, had read that article and he bought the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com which has now turned into a sinkhole. Problem is that WannaCry2 is just around the corner and those behind it will make it more robust so it does not go down if one domain is taken out.

From what I understand SMBv1 can only be identified by looking at packet payloads. We have included detection capabilities in our LANGuardian product to report on any servers communicating using SMBv1. Doing further research at the moment to extend this to report on systems that can potentially communicate using this legacy protocol.

Tenable make a product called Passive Vulnerability Scanner (PVS).  Think of it a Snort style sniffer that specifically looks for protocol versioning.  Such as SNMPv2 traffic where only SNMPv3 exists.  PVS could look for SMBv1 and alert.

It's best to disable smbv1 in group policy:

https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-win…

Agreed--disable SMB1 everywhere.

These should NOT have to be said:

• Keep your systems patched
• Keep your systems up-to-date with anti-virus / anti-malware solutions
• Back up your files to off-line / off-site storage solutions
• Retire obsolete operating systems like XP
• Do all these things in a timely fashion

It doesn't save money to avoid moving to newer operating systems when Microsoft (or others) declares your existing systems obsolete and/or unsupported.  It puts your system at risk of easy compromise and loss.

You can also passively identify XP clients by analyzing network traffic. This can be useful for tracking down systems with embedded operating systems. I often see things like hospital equipment running really old operating systems. I cover this off in the video below

Did you see the British Nuclear Missile Submarines run on Windows XP? bit worrying... some in the military say its the Windows XP / Nuclear Submarine edition, so its security hardened, but i'm not so sure about that at all.

The subject of this thread sounds good . . .

But isn't it too late if Wannacry is present?  I'd expect you'd know WannaCry was in your network by seeing this: