Called EternalRocks, this new worm is not yet weaponized

May 22, 2017 20:21 GMT  ·  By

The world thought WannaCry was the worst thing to happen to computer security, but that's far from the truth given what security researchers just found out - namely a new worm spreading via SMB using seven NSA tools instead of the two leveraged by WannaCry. 

The discovery was actually made a few days ago when security researcher Miroslav Stampar, member of the Croatian Government CERT, discovered the worm when it infected the SMB honeypot, as Bleeping Computer explains it.

Stampar put a name on it - EternalRocks. The worm uses six SMB-centric NSA tools to infect a computer with SMB ports exposed online - EternalBlue, EternalChampion, EternalRomance, and EternalSynergy (exploits used to compromise vulnerable computers), as well as SMBTouch and ArchiTouch, two NSA tools used for SMB recon operations. It also uses DoublePulsar, the well-known NSA tool which propagates the worm to new vulnerable machines.

For comparison, WannaCry used EternalBlue and DoublePulsar to propagate to some 300,000 devices.

Stampar compares EternalRocks to WannaCry and admits that it is a lot less dangerous, mostly because it currently doesn't deliver any malicious content. EternalRocks is, however, far more complex than the ransomware that spread like wildfire across the globe.

How does it work?

Once the worm infects a victim, it uses a two-stage installation process, with the second stage being delayed. In the first phase, EternalRocks downloads the TOR client and sends a beacon to its C&C server on the Dark Web. After 24 hours, the C&C server sends back a response. This delayed response is a method often used by malware so it can avoid detection. Even security researchers might give up waiting for the server to ping back in 24 hours.

EternalRocks goes to further lengths to appear to be something other than it is by using files with identical names to the ones used by WannaCry's worm. This one, however, doesn't include a kill switch domain, which is how WannaCry got shut down.

The second stage installation of EternalRocks involves downloading an archive named shadowbrokers.zip, a malware component. Shadow Brokers, as you may know, is the group of hackers that stole and dumped NSA classified documents that are at the base of the WannaCry infection. The worm does an IP scan and attempts to connect to a random address.

A serious threat

At this point in time, EternalRocks isn't that dangerous. It could, however, become a high threat if the attackers decide to weaponize the worm with ransomware, trojans, or anything else. It seems that this is just a matter of when, not if.

"EternalRocks in many ways is a more traditional advisory when it comes to malware defense. Unlike WannaCry, which used some of the NSA leaked exploits to encrypt and ransom the infected machine, EternalRocks operates in the shadows, both on the machine and in the darkweb. Infected machines will not easily be detected with a friendly pop-up asking for bitcoins, rather, this use of exploits leaked will infect machines gathering information such as credentials, passwords used when accessing web-sites such as personal banking and personal e-mail accounts," explains Paul Calatayud, CTO at FireMon.

"To prevent this malware from taking full control, it's important that you configure your network to prevent TOR network communications. Most Next-Generation firewalls are capable of being configured to block TOR. Network Security Policy Management (NSPM) is a great way to quickly audit your next-generation firewalls to assess if TOR is accessible and more importantly being used which may indicate EternalRocks is already on your machines," he adds.