The Windows firewall is the overlooked defense against WannaCry and Adylkuzz

windows.firewall.3x2
Credit: Michael Horowitz

Despite all the attention currently focused on Windows computers being infected with WannaCry ransomware, a defensive strategy has been overlooked. This being a Defensive Computing blog, I feel the need to point it out.

The story being told everywhere else is simplistic and incomplete. Basically, the story is that Windows computers without the appropriate bug fix are getting infected over the network by WannaCry ransomware and the Adylkuzz cryptocurrency miner. 

We are accustomed to this story. Bugs in software need patches. WannaCry exploits a bug in Windows, so we need to install the patch. For a couple days, I too, ascribed to this knee-jerk theme. But there is a gap in this simplistic take on the issue. Let me explain. 

The bug has to do with input data being processed incorrectly. 

Specifically, if a Windows computer, that supports version 1 of the Server Message Block (SMB) file sharing protocol, is listening on the network, bad guys can send it specially crafted malicious data packets that an un-patched copy of Windows does not handle correctly. This mistake allows bad guys to run a program of their choosing on the computer. 

As security flaws go, this is as bad as it gets. If one computer in an organization gets infected, the malware can propagate itself to vulnerable computers on the same network.

There are three versions of the SMB file sharing protocol, numbered 1, 2 and 3. The bug only comes into play with version 1. Version 2 was introduced with Vista, Windows XP only supports version 1. Judging by assorted articles from Microsoft urging customers to disable version 1 of SMB, it is probably enabled by default on current versions of Windows.

Overlooked is that every Windows computer that uses version 1 of the SMB protocol does not have to accept unsolicited incoming packets of data. 

And those that don't, are safe from network based infection. Not only are they protected from WannaCry and Adylkuzz, but also from any other malicious software looking to exploit the same flaw.

If unsolicited incoming SMB v1 data packets are not processed, the Windows computer is safe from network based attack - patch or no patch. The patch is a good thing, but it's not the only defense.

To make an analogy, consider a castle. The bug is that the wooden front door of the castle is weak and easily broken down with a battering ram. The patch hardens the front door. But, this ignores the moat outside the castle walls. If the moat is drained, the weak front door is indeed a big problem. But, if the moat is filled with water and alligators, then the enemy can't get to the front door in the first place.

The Windows firewall is the moat. All we need to do is block TCP port 445.  Like Rodney Dangerfield, the Windows firewall gets no respect.

GOING AGAINST THE GRAIN

It is quite disappointing that no one else has suggested the Windows firewall as a defensive tactic.

That the mainstream media gets things wrong when it comes to computers is old news. I blogged about this back in March (Computers in the news -- how much can we trust what we read?).

When much of the advice offered by the New York Times, in How to Protect Yourself From Ransomware Attacks, comes from a marketing person for a VPN company it fits a pattern. Many computer articles in the Times are written by someone without a technical background. The advice in that article could have been written in the 1990s: update software, install an antivirus program, be wary of suspicious emails and pop-ups, yada yada yada. 

But even technical sources covering WannaCry, said nothing about the Windows firewall. 

For example, the National Cyber Security Centre in England offered standard boiler plate advice: install the patch, run antivirus software and make file backups.

Ars Technica focused on the patch, the whole patch and nothing but the patch. 

A ZDNet article devoted solely to defense said to install the patch, update Windows Defender and turn off SMB version 1.

Steve Gibson devoted the May 16th episode of his Security Now podcast to WannaCry and never mentioned a firewall. 

Kaspersky suggested using their antivirus software (of course), installing the patch and making file backups. 

Even Microsoft neglected their own firewall.

Phillip Misner's Customer Guidance for WannaCrypt attacks says nothing about a firewall. A few day later, Anshuman Mansingh's Security Guidance – WannaCrypt Ransomware (and Adylkuzz) suggested installing the patch, running Windows Defender and blocking SMB version 1. 

TESTING WINDOWS XP

Since I seem to be the only person to suggest a firewall defense, it occurred to me that perhaps blocking the SMB file sharing ports interferes with sharing files. So, I ran a test.

The most vulnerable computers run Windows XP. Version 1 of the SMB protocol is all XP knows. Vista and later versions of Windows can do file sharing with version 2 and/or version 3 of the protocol.

By all accounts, WannaCry spreads using TCP port 445.

A port is somewhat analogous to an apartment in an apartment building. The address of the building corresponds an IP address. Communication on the Internet between computers may appear to be between IP addresses/buildings, but it is actually between apartments/ports. 

Some specific apartments/ports are used for dedicated purposes. This website, because it's not secure, lives at apartment/port 80. Secure websites live at apartment/port 443. 

Some articles also mentioned that ports 137 and 139 play a part in Windows file and printer sharing. Rather than pick and chose ports, I tested under the harshest conditions: all ports were blocked.

To be clear, firewalls can block data traveling in either direction. As a rule, the firewall on a computer, and in a router, only blocks unsolicited incoming data. To anyone interested in Defensive Computing, blocking unsolicited incoming packets is standard operating procedure. 

The default configuration, which can be modified of course, is to allow everything outbound. My test XP machine was doing just that. The firewall was blocking all unsolicited incoming data packets (in XP lingo, it was not allowing any exceptions) and allowing anything that wanted to leave the machine to do so.

The XP machine shared a network with a Network Attached Storage (NAS) device that was doing its normal job, sharing files and folders on the LAN.

I verified that cranking up the firewall to its most defensive setting did not hinder file sharing. The XP machine was able to read and write files on the NAS drive.  

The patch from Microsoft lets Windows safely expose port 445 to unsolicited input. But, for many, if not most Windows machines, there is no need to expose port 445 at all.

I am no expert on Windows file sharing, but it is likely that the only Windows machines that need the WannaCry/WannaCrypt patch are those functioning as file servers. 

Windows XP machines that don't do file sharing, can further be protected by disabling that feature in the operating system. Specifically, disable four services: Computer Browser, TCP/IP NetBIOS Helper, Server and Workstation. To do so, go to the Control Panel, then Administrative Tools, then Services while logged on as an Administrator.

And, if that's still not enough protection, get the properties of the network connection and turn off the check-boxes for "File and Printer Sharing for Microsoft Networks" and "Client for Microsoft Networks."

CONFIRMATION

A pessimist might argue that without access to the malware itself, I can't be 100% sure that blocking port 445 is a sufficient defense. But, while writing this article, there was third party confirmation. Security company Proofpoint, discovered other malware, Adylkuzz, with an interesting side effect.

we discovered another very large-scale attack using both EternalBlue and DoublePulsar to install the cryptocurrency miner Adylkuzz. Initial statistics suggest that this attack may be larger in scale than WannaCry: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection.

In other words, Adylkuzz closed TCP port 445 after it infected a Windows computer, and this blocked the computer from being infected by WannaCry.

Mashable covered this, writing "Since Adylkuzz only attacks older, unpatched versions of Windows, all you need to do is install the latest security updates." The familiar theme, yet again. 

Finally, to put this in perspective, LAN based infection may have been the most common way machines were infected by WannaCry and Adylkuzz, but it is not the only way. Defending the network with a firewall, does nothing against other types of attacks, such as malicious email messages.

FEEDBACK
Get in touch with me privately by email at my full name at Gmail or publicly on twitter at @defensivecomput.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon