Working Mechanism of Eternalblue and Its Application in Ransomworm

After the leaking of exploit Eternalblue, some ransomworms utilizing this exploit have been developed to sweep over the world in recent years. Ransomworm is a global growing threat as it blocks users’ access to their files unless a ransom is paid by victims. Wannacry and Notpetya are two of those ransomworms which are responsible for the loss of millions of dollar, from crippling U.K. national systems to shutting down a Honda Motor Company in Japan. Many dynamic analytic papers on Wannacry were published, however, static analytic papers about Wannacry were limited. Our aim is to present readers an systematic knowledge about exploit Eternalblue, from a high– leveled semantic view to the code details. Specifically, the working mechanism of Eternalblue, the reverse engineering analysis of Eternalblue in Wannacry, and the comparison with the Metasploit’s Eternalblue exploit are presented. The key finding of our analysis is that the code remains almost the same when Eternalblue is transplanted into Wannacry, which indicates its potential for signatures and thus detection.