Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Latest Update on "Shadow Brokers" Tools Release and Trend Micro Protection

    • Updated:
    • 23 May 2017
    • Product/Version:
    • Vulnerability Protection All.All
    • Platform:
    • Windows 2003 Server R2
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server R2
    • Windows 2008 Server R2 Enterprise
    • Windows 2012 Server Essential R2
    • Windows 2012 Standard R2
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Professional
    • Windows XP Professional 64-bit
    • Windows XP SP2 32-bit
    • Windows XP SP3 32-bit
Summary
Updated: May 23 @ 8:30PM GMT

Trend Micro is aware of and has been closely monitoring the latest reports and information surrounding the large cache of tools released by a group known as "Shadow Brokers" that are said to exploit flaws in several versions of Microsoft products and platforms.   
Details
Public

Technical Information

Microsoft has released a technical blog outlining the known information around the exploits that were made publicly available by Shadow Brokers:

https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

According to the article, most of the exploits that were made publicly available have already been patched in Microsoft's currently supported platforms for customers that have applied the most recent security patches. 

In addition, Microsoft reports that their security team has not been able to successfully reproduce the three (3) remaining exploits on their currently supported platforms - specifically called out as Windows 7 and above, as well as Exchange 2010 and above.

 
Please note that in light of the recent WannaCry (WCRY) ransomware attack, Microsoft has released limited MS17-010 patches for some older operating systems (e.g. XP) that have already officially reached End-of-support (EOS) status. Please visit this page for more information on obtaining the necessary patches.

Trend Micro has also released a blog with more background information: Shadow Brokers Leaks Hacking Tools: What it Means for Enterprises.

Trend Micro Products and Protection

Since these are specific exploits to Microsoft products and platforms, customers are always strongly advised to have current and officially supported versions of Microsoft products and platforms deployed with the latest security patches installed. 

However, we recognize that many enterprise and business customers have legacy platforms still in production for various reasons.  Fortunately, Trend Micro already has some solutions available that provide some level of protection.

The table below lists available solutions for the following products:

  • Trend Micro Deep Security and Trend Micro Vulnerability Protection (formerly the IDF plug-in for OfficeScan) customers with the latest rules have an updated layer of protection. 
  • Trend Micro TippingPoint customers with the following filters have updated protection.
Viewing note:  certain browsers may not show the entire table on the screen - in this case please use the scrollbar located at the bottom of the table to see the remaining columns.
Exploit MS BulletinTippingPoint Filter(s)Deep Security & Vulnerability Protection IPS Rule(s)
"EternalBlue"MS17-01027433, 27711, 27928
  • 1008225 - Windows SMB RCE Vulnerability (CVE-2017-0145)
  • 1008306 - Windows SMB RCE Vulnerability (MS-17-010)
  • 1008327 - Identified Server Suspicious SMB Session
  • 1008328 - Identified Client Suspicious SMB Session
"EmeraldThread"MS10-06110458, 27939
  • 1004401 - Print Spooler Service Impersonation Vulnerability
"EternalChampion"MS17-010
27433, 27711, 27929
  • 1008224 - Windows SMB RCE Vulnerabilities (CVE-2017-0144 & CVE-2017-0146)
  • 1008227 - Windows SMB RCE Vulnerability (CVE-2017-0147)
"ErraticGopher"Prior to Vista27932
  • 1008305 - Windows SMBv1 RCE Vulnerability
"EskimoRoll"MS14-06827940
  • 1006397 - Windows Kerberos Checksum Vulnerability
"EternalRomance"MS17-010 
  • 1008227 - Windows SMB RCE Vulnerability (CVE-2017-0147)
  • 1008306 - Windows SMB RCE Vulnerability (MS17-010)
"EducatedScholar"MS09-0508465
  • 1003671 - SMBv2 Infinite Loop Vulnerability
  • 1003712 - Windows Vista SMB 2.0 Negotiate Protocol Request RCE
"EternalSynergy"MS17-010
27937
  • 1008227 - Windows SMB RCE Vulnerability (CVE-2017-0147)
"EclipsedWing"MS08-0676515
  • 1003292 - Block Conficker.B++ Worm Incoming Named Pipe Connection
  • 1003293 - Block Conficker.B++ Worm Outgoing Named Pipe Connection
  • 1003080 - Server Service Vulnerability (srvsvc)
  • 1002975 - Server Service Vulnerability (wkssvc)
"EnglishmanDentist"*Under Investigation

Under Investigation

Emphasismine-3.4.0.exe  
  • 1008307 - Windows RDP RCE Vulnerability
Esteemaudit-2.1.0.exe  27933
  • 1008307 - Windows RDP RCE Vulnerability
Ewokfrenzy  4033
  • 1000977 - IBM Lotus Domino IMAP Server CRAM-MD5 Authenication Buffer Overflow
Explodingcan-2.0.2.exe 27643
  • 1008266 - IIS WebDAV ScStoragePathFromUrl Buffer Overflow Vulnerability
ECWI.exe  
  • 1003080 - Server Service Vulnerability (srvsvc)
ELV.EXEMS06-040  9317
  • 1000735 - Windows Server Service RCE
EarlyShovel  27938
  •  100368 - Sendmail SMTP Header and Command Buffer Overflow
EbbisLand  621, 622, 3512, 3791
  •  1008314 - Oracle Solaris RCE Vulnerability (CVE-2017-3623)
EchoWrecker  1676
  •  1004160 - Samba Multiple DOS Vulnerability
EVFR  1612
  •  1008312 - IIS WebDAV RCE Vulnerability
DoublePulsar (Payload)  27935
  •  1008327 - Identified Server Suspicious SMB Session
  • 1008328 - Identified Client Suspicious SMB Session

 * Microsoft has stated that these vulnerabilities cannot be reproduced on currently supported platforms, so the status of a Microsoft patch for older operating systems is uncertain at this time.


The next table addresses the following product:

  • Trend Micro Deep Discovery Inspector customers with the latest rules have protection against specific exploits listed below. 
ExploitDeep Discovery Inspector Rule
Eclipsedwing-1.5.2.exeDDI Rule ID 0: OPS_MS08-067_Server_Service_Path_Canonicalization_Exploit
Educatedscholar-1.0.0.exeDDI Rule ID 0: MS09-050_SMB2_DENIAL_OF_SERVICE and OCS_CVE-2009
Explodingcan-2.0.2.exeDDI Rule ID 2357: CVE-2017-7269 - WebDAV Buffer Overflow - HTTP (Request)
Eskimoroll-1.1.1.exeDDI Rule ID 1791: Possible MS14-068_KERBEROS Checksum Vulnerability
Emphasisismine-3.4.0.exeDDI Rule ID 2378: EXAMINE Buffer Overflow - IMAP4 (Response) 
Ewokfrenzy-2.0.0.exe
DDI Rule ID 2379: CRAM-MD5 Authentication Buffer Overflow - IMAP4 (Response)
Esteemaudit-2.1.0.exe
DDI Rule ID 2377: RDP RCE Vulnerability
Emeraldthread-3.0.0.exeDDI Rule ID 0: MS10-061 - Print Spooler Service Impersonation Exploit
Eternalromance-1.3.0.exeDDI Rule ID 2380: CVE-2017-0147 - Information Disclosure Exploit - SMB (Request)
Eternalromance-1.4.0.exe
DDI Rule ID 2382: CVE-2017-0145 - RCE - SMB (Request)
Eternalsynergy-1.0.1.exe
DDI Rule ID 2380: CVE-2017-0147 - Information Disclosure Exploit - SMB (Request)
Eternalchampion-2.0.0.exe
DDI Rule ID 2380: CVE-2017-0147 - Information Disclosure Exploit - SMB (Request)
Eternalblue-2.2.0.exe
DDI Rule ID 2383: CVE-2017-0144 - RCE - SMB (Request)
Erraticgopher-1.0.1.exe
DDI Rule ID 2384: Possible EQUATED - RCE - SMB (Request)
Easybee-1.0.1.exe
DDI Rule ID 2389: EASYBEE - Email Server Exploit - HTTP (Request)


Please note that Trend Micro is still investigating the recently released information for other exploits and will provides updates if/as necessary.

Trend Micro always highly recommends that vendor critical patches are applied as soon as possible upon release. Customers and partners who may need some additional information or have questions are encouraged to contact their authorized Trend Micro technical support representative for further assistance.

Premium
Internal
Rating:
Category:
Update
Solution Id:
1117192
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.