EternalRocks – The New and More Sophisticated ‘Doomsday’ Worm

ImageSource : Bleepingcomputers

The blackhats have created a new strain of malware that targets the same vulnerability as the WannaCry ransomware from the first week of May.

The Malware is called as EternalRocks, which uses the same flaw in Microsoft’s SMB networking protocol to infect other Windows systems that haven’t yet been patched with MS17-010. However, this new malware is far deadlier than WannaCry.

WannaCry Ransomware created havoc and tensions around the globe in the first half of May 2017. This ransomware just used 2 NSA hacking Tools ETERNALBLUE to compromise a machine and DOUBLEPULSAR to move around the network to find its victim and infect. Discovery of this new worm is spreading via SMB. It uses 7 NSA hacking tools which are leaked by a mysterious group calling themselves Shadow Brokers.

  1. EternalBlue — SMBv1 exploit tool
  2. EternalRomance — SMBv1 exploit tool
  3. EternalChampion — SMBv2 exploit tool
  4. EternalSynergy — SMBv3 exploit tool
  5. SMBTouch — SMB reconnaissance tool
  6. ArchTouch — SMB reconnaissance tool
  7. DoublePulsar — Backdoor Trojan

ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations which are used to scan for active SMB ports.

Now let’s see how the attack takes place

Infection of EternalRocks malware takes place in two stages.

In the first stage, malware entering a machine downloads necessary .NET components TaskScheduler and SharpZLib from the internet while dropping svchost.exe and taskhost.exe. Component svchost.exe used for downloading, unpacking and running Tor from along with C&C (ubgdgno5eswkhmpy.onion) communication requesting further instructions.

Once compromised with ETERNALROCKS the system can be used for any future attacks. It may cause damage beyond imagination. Saner will detect this threat easily.

Saner caught this malware with Indicators (as seen in the image below).

The threats are detected in Viser.

EternalRocks can be weaponized instantly. Because of its larger exploit arsenal, the lack of detection and remediation, and because of its initial inactive state, EternalRocks could pose a serious threat to computers with vulnerable SMB ports exposed to the Internet, if its author would ever decide to weaponize the worm with ransomware, a banking trojan, RATs, or anything else.

Few of the exploits used by the NSA Hacking tools are already fixed in older Microsoft Patch updates

Code Name Solution
EternalBlue Addressed by MS17-010
EmeraldThread Addressed by MS10-061
EternalChampion Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher” Addressed prior to the release of Windows Vista
EsikmoRoll Addressed by MS14-068
EternalRomance Addressed by MS17-010
EducatedScholar Addressed by MS09-050
EternalSynergy Addressed by MS17-010
EclipsedWing Addressed by MS08-067

source: Microsoft

All these updates can be easily remediated through SecPod Saner. Install Saner to detect these type of threats and stay secure.

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments