44CON 2019 has ended
Back To Schedule
Friday, September 13 • 15:00 - 15:59
Aaron Adams, Cedric Halbronn & James Fisher - EternalGlue - Rewriting NotPetya for corporate use

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
NCC Group had a large corporate client that was interested in how their production network would be impacted if they had been hit by the NotPetya worm. Cedric and Aaron ended up reverse engineering NotPetya and building a custom
version with all the ransomware/destructive capabilities pulled out, and plugged it inside new logic to limit how it spreads. This allowed client-defined parameters to dictate where it could propagate and also allowed infections to transmit telemetry information back to a central server to allow visibility into how and where it spread.

After providing the client with the tool they went through a three-phase approach of ensuring that the simulated worm actually behaved as expected, with the final phase being them running it within their corporate production
environment. This allowed them to observe how the real threat would’ve spread, highlighted some important mitigations already in place, as well as highlighting areas of their network they didn’t anticipate to be affected, etc.

Cedric and Aaron will discuss the work involved in reverse engineering NotPetya, the logic introduced to ensure safe and controlled propagation, some of the technical hurdles encountered, basic AV bypassing required, the lab environment used for testing, etc. James will discuss his experience from the client’s perspective and what was involved in convincing such a large organization to get on board with running such a tool in a production environment.

This opens up a new phase of development and tooling opportunity for the defense industry. It allows us to much more closely mimic realworld scenarios in a controlled fashion and allows different and arguably more realistic visibility into the effects of such realworld attacks, versus more traditional consulting approaches.


Aaron Adams

NCC Group
Aaron works in NCC Group’s Exploit Development Group. He has been doing reverse engineering / exploit development / code review for 15+ years. For some reason he is particularly fond of heaps.

Cedric Halbronn

NCC Group
Cedric (@saidelike) has joined NCC Group in 2015 and has been doing reverse engineering / exploit development for 10+ years. His current interests are memory corruption bugs in the Windows kernel, HP iLO, mobile devices, embedded devices, etc.

James Fisher

James for the last 6 years has been responsible for defending a large global network against technically minded adversaries; prior to this he spent 11 years as a senior penetration tester, 6 of which as a CHECK team leader.

Friday September 13, 2019 15:00 - 15:59 BST
* Track 1 *