Go to DBLP homepageHow Fast Does Malware Leveraging EternalBlue Propagate? The case of WannaCry and NotPetya
Abstract: Malware attacks pose a critical threat to digital infrastructures particularly given their potential for widespread and fast propagation. Mitigating them involves limiting their expansion, which requires a thorough understanding of their propagation mechanisms. However, few studies have been conducted on their propagation behaviors in large-scale networks. In this paper, we present the results of an empirical study focusing on the propagation strategy of WannaCry and NotPetya, two malware instances leveraging EternalBlue, an exploit developed by the NSA and stolen by The Shadow Brokers hacker group, which has been used to implement rapid spreading in some mal-ware instances. Our experiments qualify the speed of infection, epidemic behavior, and spreading strategies in a local network of 50 VMs. We have especially measured for WannyCry that (1) nearly 20% of infections are processed in less than 50 seconds, and (2) up to 16 hosts are infected in a 100-second period. Our results provide meaningful insights on malware propagation to support the design of effective countermeasures.
Loading