Vaccinating All Your Network Machines Against NotPetya

As we and everyone else predicted, a variant of the WannaCry/WannCrypt has been released into the wild: NotPetya (early virus scans marked it as last year’s Petya, but it’s not).

notpetya immunization vaccine

We’ve been keeping a close eye on this throughout the day, and have come up with a package that could possibly prevent NotPetya infection. No, this isn’t a guarantee, and while it’s been confirmed by reliable sources (Amit Serper, Hacker Fantastic, Reddit’s /r/netsec), that doesn’t really mean it’s a sure thing, magic bullet, safe unicorn.

From what we’ve been able to gather from the sources above, the NotPetya ransomware looks for a file called perfc in the C:\Windows directory using a wildcard, perfc.* when installing itself. Note: you can create a perfc.dll, perfc.dat, and perfc.bin, etc. if you want to be super thorough, but no evidence suggests this provides any added benefit.

Warning:
We have not tested this proposed immunization or tested the veracity of any of the statements or claims made by any of the agents above or any other source. Use this at your own risk, as the instructions here are provided as-is.

Important:

  1. Even with machines that are fully patched, one compromised machine can infect all machines. NotPetya can spread via WMI and PsExec (which it installs) rather than through SMBv1. Speaking of…
  2. It’s also important to note the EnternalBlue (WannaCrypt) is only one attack vector closed by MS17-010. NotPetya uses several attack vectors (WMI, PsExec), most of which have no patch at the time of this blog. Again, one infected machine can infect all your perfectly patched machines.
  3. And one other important note, mostly theory/rumor at this point, when NotPetya runs PsExec it does so using the -c switch to install/run in ADMIN$, since that directory almost always exists on remote systems.

Now, to potentially immunize your systems against NotPetya, here’s a handy package you can make using PDQ Deploy.

NotPetya Mitigation Package

  1. Open PDQ Deploy, select New Package and name the package something meaningful.
  2. Create a New Step > Command.
  3. In the Command step, add the following to the Command field*:
    copy /B NUL C:\windows\perfc & attrib +R c:\windows\perfc
    copy /B NUL C:\windows\perfc.dll & attrib +R c:\windows\perfc.dll
    copy /B NUL C:\windows\perfc.dat & attrib +R c:\windows\perfc.dat
  4. You should end up with a Command step that looks like this:
  5. Save the package and test.
  6. Deploy the package to all machines that could potentially be infected.

*There has been some speculation perfc needs an extension and be set to read-only. Neither of these seem to be required, but since it doesn’t hurt, why not?

And that’s it.

Watch this video to see the process in action

7 responses

  • I’ve also read that the file should be read only. I’ve added a step to the PDQ Deploy package to run the command “attrib +R c:\windows\perfc” to set the file as being read only.

  • Get the following Output log from the deployment:

    C:\Windows\AdminArsenal\PDQDeployRunner\service-1\exec>copy /B NUL C:\windows\perfc & attrib +R c:\windows\perfc
    Access is denied.
    0 file(s) copied.

    C:\Windows\AdminArsenal\PDQDeployRunner\service-1\exec>copy /B NUL C:\windows\perfc.dll & attrib +R c:\windows\perfc.dll
    Access is denied.
    0 file(s) copied.

    C:\Windows\AdminArsenal\PDQDeployRunner\service-1\exec>copy /B NUL C:\windows\perfc.dat & attrib +R c:\windows\perfc.dat
    Access is denied.
    0 file(s) copied.

    However, the files are present on the client machines.. I guess it’s a false positive?!

    • If those files are present despite the error, they copied regardless of the error (magic). It might be the Console User credentials don’t have the required permissions, but the Background Service credentials do have the required permissions. It’s hard to diagnose without knowing more about the setup of PDQ Deploy. If it continues with other packages or you notice some inconsistencies, definitely create a support ticket so we can get some additional information.

  • I’m trying to create a dynamic collection i PDQ inventory to find computers does not have the perfc file, but some how fails. Could you help create this collection?

    • There are two steps to this, Adam.

      First, you will need to set up a scan profile to scan for the perfc file on your target machines (Preferences > Scan Profiles). Create a Files scanner and use the following in the “Include pattern(s)”: C:\Windows\perfc*.

      Next, scan all the targets from which you want the perfc information. You should see the list of perfc files in the Computer Windows > Files.

      Finally, create your collection(s):

      This will show machines that have the perfc files:
      All
      File | Name | Matches Pattern | perfc*

      To show machines that do not have the perfc files:
      Not All
      File | Name | Matches Pattern | perfc*

Your email address will not be published.