Eternal Blues – Worldwide Statistics

Finally, 2 weeks post launch, some worldwide statistics.

August 7, 2017 update: stats explained

But before you start, here are some useful tips:

  • Read FAQ below
  • Hover data to see some extra detailed tool-tips
  • Click data for dynamic filtering
  • CTRL+click for multi-select
  • Hit the full screen button below and enjoy ;)

Words out. Visualizations in.

 

Please share your feedback – your results, how it helped you – in twitter or just as comments below. If you have more ideas for cool visualizations, just let me know. Need to ask something privately? you can email me or make contact through LinkedIn.

 

Some surprising facts (July 12, 2017)

  • More than 8 million IPs were scanned. France taking the lead with 1.5 million
  • The top 3 vulnerable countries (out of ~130), had more than 30,000 vulnerable hosts altogether
  • The majority (53.82%) of hosts nowadays still have SMBv1 enabled
  • 1 out of 9 hosts in a network is vulnerable to EternalBlue
  • One network, with almost 10,000 hosts (not IPs), had 2 vulnerable hosts. How could anyone find that without Eternal Blues?

 

Conclusions

Unfortunately, exploitation of EternalBlue is still a very good method of invoking remote code execution. It is available in more than 50,000 hosts scanned by Eternal Blues (as for July 12, 2017). Yes, even after all the latest attacks by WannaCry and NotPetya. I’m here to remind you, sometimes it takes just 1 vulnerable machine to take you down.

Although numbers are quite high (remember, these are IPs scanned with my tool only), I feel like awareness did increase somewhat. Running Eternal Blues is, by definition, being aware of the problem. So good for you for taking responsibility and checking your network status. Now it’s patching time!

Recommendations

 

Please, don’t be mistaken – recent ransomware attacks are the ones that made all the buzz, since they actually tell you when they hit you. I believe there are many more EternalBlue-based attacks which remain off the radar and are still unknown to us (examples: data exfiltration or even just using your computers to join a botnet). So not seeing something like this (below), does not mean you weren’t hit…

 

FAQ

  • Is ‘IP’ == ‘Host’?
  • No. IP is IP address. It may be in use and may not
  • Can someone hack your data and see our personal data?
  • First, everything is hack-able. Second, there is no personal data to hack.  In fact, I’ve just made it available online with the Power BI dashboard above, so, no need to hack, it’s all here! :D
    As for what’s being collected and why there is no privacy issue, read Privacy & Reporting
  • Are there any duplicates?
  • Yes. Since I don’t track users/hosts, I cannot know if a user scanned the same network twice
  • So, total results should be lower than mentioned?
  • Actually quite the opposite. There are many cases which makes me believe the total results number is actually higher:
    • Versions 0.0.0.1-0.0.0.4 included a detection issue (as mentioned here). So in order not to have even the slightest mistake with statistics, I decided to exclude all collected results from these versions (meaning, scans of 1 million IPs were completely dismissed)
    • Some scans were taken on more secured environments where there is no internet access. Meaning, no statistics for me
    • Some users probably disabled access to my website in order not to send statistics
  • Can I use these visualizations in my website / presentations?
  • Sure. Letting me know how/where it helped you can be great
  • Are visualizations, or the data they’re based on, going to be updated?
  • Yes. At least twice a week

Eternal Blues – Versions & Reporting

Versions

Version Date Size Notes SHA-256
0.0.0.9 (latest) July 25, 2017 886 KB Increased timeout (for slow networks)

Removed “Are you sure” button before exit

7f5f447fe870449a8245e7abc19b9f4071095e02813d5f42c622add56da15b8b
0.0.0.8 July 10, 2017 1.43 MB Added host name column for better analysis 21cc36e60e661613f0c05e73b9496bf2d456931686b0693112842d91d7e64e78
0.0.0.7 July 6, 2017 1.43 MB Some GUI fixes 7a08f7010402e2813830c77be1e992f6193f5c1ea97b76fbe706c2090ba66cb3
0.0.0.6 July 3, 2017 1.42 MB Some GUI fixes 1e6fc5078edd00a8ecedcbd2e2054a769610bfacce81b22f1285a7e14dbeacb0
0.0.0.5 July 2, 2017 1.42MB Vulnerability detection fix 952feb69a311e0a7602b65b0e981364bc2f0d79bb7af79ea342234c28b6df099
0.0.0.1-0.0.0.4 June 29, 2017 1.42MB First versions N/A

Privacy & Reporting

Anonymous statistics are being sent to omerez.com every time Eternal Blues starts a scan or when it is finished. Your privacy is a top concern of mine.

Below described the information being collected  (each new version includes all the previous collected data) -

  • 0.0.0.1-0.0.0.4
    • Eternal Blues version
    • Random ID
      • Generated with each new launch of the application. It is used for my own debugging – to see if a scan started but did not end (or ended with different number of hosts). Launching twice by the same user/host will result with a different random number
    • # of scanned IPs
    • # of vulnerable IPs
  • 0.0.0.5
    • # of responsive IPs
  • 0.0.0.6 and later
    • # of IPs with SMBv1 enabled

Some other metadata is being appended by default with Google Analytics, like time of scan & country.

I don’t know about your IP, don’t care about it and frankly, quite glad not to know anything about it in order to completely eliminate any unnecessary privacy/legal issues.

What’s not being collected?

User names, host names, IP addresses, domain name. It is really none of my interest.
Two scans taken by the same user & computer cannot be correlated (the only common data is the fact they share the same country)

Why collecting data at all?

Understanding how the world’s EternalBlue vulnerability (and SMBv1) posture really looks like, is a great interest to me and actually to many more in the cyber security ecosystem. I doubt if anyone has good visibility for that. Not sure even if Microsoft really knows the average ratio of hosts with SMBv1 enabled in a standard network is.

Stats are coming soon.
July 10 teaser: More than 7 million IPs were scanned so far. PowerBI is coming…

Here they are ;)

Eternal Blues – Day 4 (important update)

It’s been quite a day. More than 2,000 scans in the past 24 hours and over 6,000 in total.

IMPORTANT UPDATE

My first priority for today was fixing the reported issues (I actually took a day off work). There were some scenarios of wrong detection – it mainly happened with Windows 2003, but are likely to reproduce with other versions as well (the issue was reading 2 overridden bytes). I can’t know the exact likelihood of reproduction, but I roughly estimate it with probability of 1%-3% – which means approximately 2-8 hosts out of the default 256 hosts scan. If only half of these IP are in use, it’ll be 1-4 hosts with chances of result mismatch.

Therefore, people who scanned with version 0.0.0.4 or earlier:
I encourage you to take another scan with the latest version . Thankfully, a few people made contact and reported about these mismatches on day 2. They’ve verified today version 0.0.0.5 and it reported 100% correct results.

How this tool works?

I get a lot of questions on what’s the logic behind getting a “YES” (vulnerable) result for a host. People were wondering whether the check was just “pinging the host”, or “checking SMBv1 status”, or “finding shares”. The answer to all three is “no”.

Eternal Blues checks the existence of the EternalBlue vulnerability by sending 4 crafted SMB messages. There are many references online for the technical stuff. I think the best executive summary I read was Rapid7′s:

“…it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is “STATUS_INSUFF_SERVER_RESOURCES”, the machine does not have the MS17-010 patch.”

Also seems like a patched host (with MS17-010) will return STATUS_INVALID_HANDLE or STATUS_ACCESS_DENIED.

The 4 crafted SMB messages are:

  • SMB Negotiate Protocol
  • SMB Session Setup AndX Request
  • SMB Tree Connect (to IPC$)
  • SMB Peek Named Pipe

Getting STATUS_INSUFF_SERVER_RESOURCES as the SMB status of the 4th message means host is vulnerable.

What’s next?

  • Releases visibility (communicating new content for each version)
  • Some bug fixes (mainly UI, hopefully no more mismatches)
  • Taking some feature requests
  • Statistics. Prepare for some (super) Power BI

 

Eternal Blues – 72 hours update

It’s been three days since launch.  The exposure “Eternal Blues” got  is mind blowing – first day was very quiet, but then I had over 5,000 visits in 2 days (way more than I imagined). Actually, this traffic peak is all thanks to Tal Be’ery, Mirko Zorz (Help Net Security, Twitter) and Bleeping Computer (Twitter) – without your help, I bet I had only 100 visitors for this weekend. So one big THANK YOU for the three of you!

I got a few appreciation emails – people actually found vulnerable computers, which is fantastic. I also got a few people wondering about some false positives (work in progress fixed!), asking for feature requests and suggesting improvements. This is all truly amazing. and also a lot to process in such a short time. All, please be patient, I’ll do my best answering you all and fixing wherever needed. Stay tuned.