SMB

There are 2,306,820 devices connected to the Internet at the moment that feature open ports for SMB services, the same protocol that was used to infect hundreds of thousands of computers with the WannaCry ransomworm a month ago.

Of these, 42%, or nearly 970,000, provide "guest" access, meaning anyone can access data shared via the SMB file-sharing protocol without needing to provide authentication.

The exploits used by WannaCry didn't necessarily need guest access, but only that the system be connected to the Internet. Providing guest access opens the machine to less complex exploits.

According to Shodan founder John Matherly, who compiled these numbers over the past few days, of these nearly one million SMB devices with guest access, 90% are running Samba, a Linux file sharing application that provides interfacing with SMB services on Windows.

Because ETERNALBLUE, an alleged NSA exploit that leaked online, can't target Linux this doesn't mean these systems are safe. Samba itself is also plagued by a vulnerability called SambaCry that affects all Samba installations released in the past seven years. This flaw has been used to take over Linux servers with open SMB ports and install cryptocurrency miners.

Both Windows and Samba come with SMB guest access disabled by default, which means that device administrators are intentionally enabling this feature. Matherly points out that almost half of the devices that have Samba SMB guest access enabled are located on the network of Etisalat, a large ISP in UAE.

Over 2.2 million devices running outdated SMBv1

Going back to the big picture, of the 2,306,820 devices running open SMB ports, 96% — or over 2.2 million devices — support SMBv1.

This first version of the SMB file sharing protocol is over three decades old and known to be vulnerable to many security bugs.

ETERNALBLUE, the exploit used by the WannaCry ransomworm to spread to new PCs, uses SMBv1.

Microsoft told Bleeping Computer two days ago it plans to disable SMBv1 for all new Windows clean installs, starting this fall.

The good news is that from these 2.3 million devices, only 91,081 have not applied the MS17-010 Microsoft security update, meaning they are still vulnerable to exploitation via ETERNALBLUE.

During the WannaCry outbreak, the ransomware used ETERNALBLUE to get a foothold on machines running outdated SMB services and then installed the DOUBLEPULSAR backdoor, which was used to deliver the actual WannaCry crypto-ransomware.

Matherly says his scan detected only 16,206 DOUBLEPULSAR installations, but the number is down from over 100,000, the number seen on April 20, soon after The Shadow Brokers dumped the ETERNALBLUE and DOUBLEPULSAR tools online.

Overall, Matherly notes that people have installed MS17-010 after the WannaCry update, but things could be better. An interactive Shodan report is available here.

DoublePulsar timeline
DoublePulsar infections across time [Source: Shodan]