The Server Message Block protocol, commonly referred to as SMB, is a file-sharing protocol primarily found in Windows systems. There are Unix based solutions available that can access SMB, although they are found less frequently. The SMB protocol provides a variety of functionalities in addition to file sharing. SMB is typically implemented in either the Application layer or the Presentation layer of the OSI model. (Microsoft, 2018) SMB typically runs on port 139 and port 445. While it does have some legitimate uses, SMB can also be abused for malicious purposes. According to the CVE database located at cve.mitre.org, at the time of writing, there are 435 CVE entries related to the SMB protocol. Due to it being an inherently vulnerable protocol, it is heavily utilized by various malware variants to propagate across the network. Pieter Arntz of Malwarebytes Labs states, “Some of the most devastating ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block (SMB) to propagate through an organization’s network.” (Arntz, 2018)

TrickBot is a malicious polymorphic banking trojan that can evade antivirus solutions while propagating across a network. Researchers at the MS-ISAC report that TrickBot has been observed to propagate via CVE-2017-0147, better known as EternalRomance. Additionally, TrickBot implements other worming modules that abuse SMB and LDAP protocols to facilitate the spread of the infection. (MS-ISAC, 2019) Researchers at TrendMicro report that they had observed TrickBot moving laterally by exploiting CVE-2017-0143 better known as EternalBlue, another vulnerability in the SMB protocol. (Tancio, Maglaque, Enalbes, & Yaneza, 2019) TrickBot is not the only malware variant that abuses the SMB protocol. The notorious ransomware variant WannaCry utilized EternalBlue. Other SMB vulnerabilities including EternalRomance have been utilized by NotPetya, BadRabbit, and many other malware strains. (Arntz, 2018)

It appears that one of the most malicious polymorphic banking trojans consistently chose to abuse the SMB protocol to propagate across networks. Although they are not alone, if your system is allowing inbound SMB connections, it is subject to some of the most devastating forms of malware. Disabling host-to-host SMB in-conjunction is a great additional security control for preventing the propagation of malware. This can be done by preventing inbound connections to the SMB ports (139 and 445)

References

Arntz, P. (2018, December 14). How threat actors are using SMB vulnerabilities. Retrieved from malwarebytes.com: https://blog.malwarebytes.com/101/2018/12/how-threat-actors-are-using-smb-vulnerabilities/

Microsoft. (2018, May 30). Microsoft SMB Protocol and CIFS Protocol Overview. Retrieved from microsoft.com: https://docs.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview

MS-ISAC. (2019). Security Primer – TrickBot. Retrieved from cisecurity.org: https://www.cisecurity.org/white-papers/security-primer-trickbot/

Tancio, B., Maglaque, R., Enalbes, C., & Yaneza, J. (2019, March 14). Examining Ryuk Ransomware Through the Lens of Managed Detection and Response. Retrieved from trendmicro.com: https://www.trendmicro.com/vinfo/tw/security/news/cybercrime-and-digital-threats/examining-ryuk-ransomware-through-the-lens-of-managed-detection-and-response

-Brian