SMB or Server Message Block is a popular term in computer networking. Barry Feigenbaum originally at IBM designed SMB in the 1980s. The main purpose of SMB is providing shared access to printers, files and serial ports between nodes on a network. It can carry transaction protocols for inter-process communication.
The usage of the Server Message Block mainly includes Windows computer. The Windows services used for server component and the client component are LAN Manager Server and LAN Manager Workstation respectively.
Let’s know more about SMB version 1.
History Of SMB1
Server Message Block, SMB was originally designed by IBM and was utilized by Microsoft in LAN Manager product in the mid-1990s. The aim of SMB was to turn DOS INT 21h local file access into a networked file system. SMB 1.0 was renamed as Common Internet File System. In layman language, we may safely say that this was the beginning of networking, where the local file system was being made available over a network.
In the beginning, the implementation of SMB 1.0 had a lot of issues which stuck SMB for handling small files for end users. Moreover, the protocol was chatty, therefore performance over distance was not good. Microsoft made changes to the version and merged SMB protocol with LAN Manager product, which it started developing for OS/2 with 3Com around 1990. Since then, it started adding features to the protocol in Windows for Workgroups and in later versions of Windows. With CIFS 1996, Microsoft developed SMB dialect which came along Windows 95. A few things got added with this, support for larger file sizes, transport directly over TCP/IP, and symbolic links & hard links.
How Does It Work ?
SMB protocol is used to enable the user of an application to access files on a remote server, along with other resources, which includes printers, mail slots and more. Therefore, a client app can access, read, create, move and make changes to a file on a remote server. It can also connect to any server program that is set up to receive an SMB client request.
SMB protocol is also known as a response-request protocol, as it sends multiple messages between server and client to establish a connection. The SMB protocol works in Layer 7 or application layer and you can use it over TCP/IP on port 445 for transport. The early versions of SMB protocol use the API (application programming interface) NetBIOS over TCP/IP.
Nowadays NetBIOS over a transport protocol is required to communicate with devices that do not support SMB directly over TCP/IP.
How Does SMB1 Cause Ransomware And Other Attacks ?
You must be familiar with WannaCry Ransomware, which was the reason due to which a lot of businesses were duped out of money. These kinds of ransomware and Trojan malware variants depend on vulnerabilities in the Windows Server Message Block (SMB) to propagate via an organization’s network.
Generally, attackers use phishing emails to infect the targeted system, however, WannaCry was different. It targeted public facing SMB ports and used the alleged NSA-leaked EternalBlue exploit to enter the network and then allegedly used DoublePulsar exploit to establish persistence and support the installation of the WannaCry Ransomware.
Why Is it So Effective?
To harm on a higher rate, a worm-like infection needs to continue spreading itself so that it needs little effort for multiplying returns. That’s when the SMB vulnerabilities come to use, for spreading laterally through connected systems.
These unnecessary protocols like SMB & network segmentation should be disabled as they potentially make systems exposed to hackers. Also, it is recommended to keep all systems updated to the latest versions of operating systems and apply patches of security updates with time.
The SMB settings are enabled on all the systems, however, not necessarily needed by all. Therefore, if you are not using them, it is recommended to disable SMB1 and other communication protocols.
Wannacry utilized only two cyber tools to abuse SMB vulnerabilities. Well, this is not the only ransomware attack that used SMB vulnerabilities. An upcoming worm, EternalRocks will come with seven cyber tools to infect systems around the world.
EternalRocks will utilize lethal Server Message Block tools namely EternalBlue, EternalChampion, Eternal Synergy, and Eternal Romance. Also, SMBTouch and ArchTouch also called as SMB reconnaissance tools, to keep an eye on affected computers.
When a worm with two tools created massive chaos in the world, we can’t even imagine the immensity of destruction that EternalRocks could cause.
How Did The Attack Take Place?
Currently, there are three exploits, namely EternalBlue, EternalChampion and EternalRomance, that are out in the open and could take advantage of SMB vulnerabilities. EternalBlue was used by WannaCry & Emotet. Eternal Romance was used by Bad Rabbit, NotPetya & TrickBot. One more exploit called EternalSynergy is also present.
A hacker group named ShadowBrokers leaked all these exploits. Within a month, Eternal Blue exploit was used, WannaCry was spread like a wildfire.
EternalRocks uses DoublePulsar as a backdoor for malware to be installed on infected systems.
Research shows that the backdoor is still not protected and other hackers could use it as a medium to introduce their malware and destroy systems.
After that, various large-scale malware attacks such as Bad Rabbit and Not Petya have employed SMB vulnerabilities to enter organizations’ networks in 2017. In the third and fourth quarter of 2018, the Emotet and TrickBot Trojan attacks were at the peak.
We have read enough about SMB version 1 and its vulnerabilities, if we are not using SMB 1, then you are better off without it.
In the next segment, we will talk about how to detect, enable or disable SMB1 on Windows. So, let’s proceed!
How To Detect, Enable/Disable SMB1 On Windows?
Method 1: Detect, Enable/ Disable SMB v1 Protocol On Windows 8.1 and Windows 10 Using PowerShell method
To Detect
Press Windows and X, to get the context menu above the Start menu.
From the list, locate the Windows PowerShell Admin.
Note: You can get PowerShell by typing PowerShell in the search box. Choose Windows PowerShell option and right-click on it to Run it as an administrator
On PowerShell window, type Get-WindowsOptionalFeature –Online –FeatureName SMB1Protocol
How To Disable
- Press Windows and X, to get the context menu above the Start menu.
- From the list, locate the Windows PowerShell Admin.
Note: You can get PowerShell by typing PowerShell in the search box. Choose Windows PowerShell option and right click on it to Run it as an administrator
- On the PowerShell Window, type Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol.
To Enable
- On the PowerShell Window, type Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
Type Y for the changes to take effect.
Method 2: Disable/Enable SMB1 To Turn Windows Features On or Off
Step 1: Go to Start button and type Control Panel. You will get the Control Panel desktop app. Click on it.
Step 2: Now locate Programs & Features.
Step 3: You will get a window with a list of software installed on your system, go to the left side of the panel and click Turn Windows Features On or Off.
Step 3: You need to remove the checkmark beside SMB 1.0/CFs File Sharing Support to disable SMB1 for good. If you want to enable it, put a checkmark beside the same.
Method 3 : Using Registry Editor To Enable/Disable SMB 1
You can also use the Registry Editor to enable or disable SMB1. Before going further make sure, you take a backup for Registry Editor.
Note: To take a backup, follow these steps:
Step 1: Press Windows and R and type regedit and press enter.
Step 2: On Registry Editor, go to File-> Export.
Step 3: A window will open to save the backup of registry files on your preferred location.
To enable/disable SMBv1 on Windows, follow these steps:
Step 2: On Registry Editor, navigate to this path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Step 3: In the right side of the pane, locate Registry entry: SMB1,
- f REG_DWORD’s value is 0, then it is Disabled.
- If REG_DWORD’s value is 1, then it is Enabled.
To check the value, right-click on SMB and click on Modify. Check for Value Data in it.
Note: In case you don’t find SMB (DWORD), then you can create it. Right click on the right side of the panel. Click on New and select DWORD. Name that key SMB1.
Note You need to restart your computer once you have made these changes.
In case you think your system has been under the influence of any malicious attack or you want to prevent them in future, then you can always install protection tools such as Advanced System Protector by Systweak. Advanced System Protector is one stop solution as it is power packed with antimalware, antispyware, and antivirus techniques to fight off all infections present on your system.
Also, it is always recommended to create a backup of your system to ensure your data is safe. There are a lot of data backup tools available, however, having the right one with you counts. Right Backup is one of the most reliable tools when it comes to backing up your data as it comes with SSL encryption. It makes your data accessible on every device you have. All you need to do is upload your data on it and the backup service will keep it safe in secure cloud servers.
So, in this way, you can easily disable/enable the Server Message Block (SMB 1). Security concerns are not new, but the disruption caused by WannaCry Ransomware should be considered as a wake-up call. As it uses vulnerabilities of SMB1 services of Windows operating system to initiate the attack. Even Microsoft itself recommends disabling SMB1 for security reasons, therefore keeping it disabled could help you prevent these ransomware from victimizing your system.
Also, to make sure your data is safe and your system is protected you can always rely on Right Backup and Advanced System Protector respectively.
Liked the article? Please share your thoughts in the comments section below.