The recently discovered worm EternalRocks has no kill switch and is highly infectious. It exploits NSA’s leaked tools and can rapidly be weaponized with ransomware, banking Trojans, or RATs.
After a host of ransomware attacks that wreaked havoc worldwide in the last 10 days by WannaCry, a new strain of malware “EternalRocks” has been identified by security researcher Miroslav Stampar. It was discovered by him on Wednesday from a sample on his Windows 7 honeypot, when it was infected.
Its original name is “MicroBotMassiveNet” and Stampar has named it “DoomsDayWorm.” EternalRocks is listed as a product name under Taskhost properties.
EternalRocks spreads using all of the SMB exploits in the leak, including EternalBlue, used by WannaCry in attacks. EternalRocks not only uses EternalBlue, it also uses EternalChampion, EternalRomance, and EternalSynergy, as well as ArchiTouch, SMBTouch, and the DoublePulsar kernel exploit.
EternalRocks is self-replicating malware, it includes far more threats and is more heinous than WannaCry. It spreads via several SMB (Server Message Block) vulnerabilities and uses NSA tool known as EtnernalBlue to spread itself from one computer to the next through Windows.
Few important things one should know about EternalRocks:
- In its current form, ‘EternalRocks’ does not lock or corrupt files or use infected machines to build a botnet. However, it makes infected computers vulnerable to remote commands which could ‘weaponize’ the infection at any time.
- ‘EternalRocks’ is stronger that WannaCry as it does not have any loopholes and any kill switch. These loopholes made WannaCry ransomware slow and circumvent.
- ‘EternalRocks does not do anything for 24 hours after it infects the computer, thus making it harder to detect. It spreads in 2 stages over a 24-hour period.
What is honeypot?
A honeypot is a computer security mechanism set up to act as a trap to attract, detect and deflect hackers who attempts at unauthorized use of information systems. It identifies malicious activities performed over the internet by purposely engaging and deceiving cyber attackers.
How EternalRocks differs from WannaCry?
Although EternalRocks uses the same route and weakness to infect Windows-enabled systems, it is said to be way more hazardous, as supposedly it uses all seven hacking tools as compared to WannaCry, which were leaked from the NSA.
WannaCry malware, with just two NSA tools, caused disaster by affecting 150 countries and over 2,40,000 machines across the globe. So we can imagine what EternalRocks can do as it uses seven NSA tools.
The unique feature of “DoomsDayWorm” is that it waits silently for a period of twenty-four hours, before using the backdoor to download additional malware from the command and control server. Unlike WannaCry ransomware, whose spread was halted because of a killswitch discovered by a security blogger.
During the first stage, EternalRocks installs TOR as a C&C (Command-and-Control) communications channel. The second stage begins after 24 hours have passed when the C&C server responds with shadowbrokers.zip. It then unpacks the file and starts a random scan for open 445 SMB port of the internet.
What is TOR?
Software that closes Unseen eyes as they are everywhere
TOR is a software that allows users to browse the web anonymously. TOR was originally called The Onion Router, as it uses a technique called onion routing used to hide information about user activity. TOR makes it more difficult to track internet activity by separating identification and routing, it encrypts the data, including the IP address.
What is C&C (Command-and-Control) communications channel?
Command and control servers also called C&C servers or C2 are computers used by attackers to keep communication with compromised systems within a target network.
The seven NSA tools leaked by the ShadowBrokers used by EternalRocks:
EternalBlue — SMB1 and SMB2 exploit used to get on the network
EternalRomance — a remote SMB1 network file server exploit targeting Windows XP, Server 2003, Vista, Windows 7, Windows 8, Server 2008, and Server 2008 R2
EternalChampion — SMBv2 exploit tool
EternalSynergy — a remote code execution exploit against SMB3 that potentially works against operating systems.
The above 4 tools are designed for compromising the vulnerable Windows computers.
SMBTouch — SMB reconnaissance tool
ArchTouch — SMB reconnaissance tool
The above 2 tools are used to scan for open SMB ports on the public network.
DoublePulsar — used to install the ransomware
Helps in spreading the worm from one computer to another across the same network.
WannaCry ransomware is not the only malware to use EternalBlue or the backdoor, DoublePulsar exploit. A cryptocurrency miner known as Adylkuzz is minting virtual currencies on infected machines. Another malware spreading through a similar attack vector is known as UIWIX.
The good part
There are no reports of EternalRocks to have been weaponized. No malicious payload – like ransomware are reported.
The bad part
As the effects SMB patches are applied at a later time, machines infected by the EternalRocks worm are left remotely accessible via the DOUBLEPULSAR NSA tool. The backdoor Trojan DOUBLEPULSAR installation left behind by EternalRocks always keeps the door open for hackers.
What to do to be safe from such attacks?
Block external access to SMB ports on the public internet
- Patch all SMB vulnerabilities
- Block access to C&C servers and block access to Torproject.org
- Monitor for any newly added scheduled tasks
- Update your Windows OS
- Install and update your anti-virus
- Install or activate the system firewall to maintain a barrier between suspicious links and your system
- Try to avoid obvious settings and simple passwords. Try using a combination of alphabets and numbers. A combination of uppercase and lowercase letters is also a safer approach.
Do not use, pirated versions of Windows, if you have one your system is more susceptible to infection. It is best to install and use a genuine version of Windows OS.