EternalRocks new worm uses NSA's 6 tools

EternalRocks: Security researchers have just discovered a new worm that spreads through SMB using seven NSA hacking tools instead of the two WannaCry users.

The discovery was carried out by security researcher Miroslav Stampar, a member of the Croatian CERT. He discovered the worm when he detected an infection in a SMB honeypot, as reported by the Bleeping Computer.
EternalRocks
Stampar named the new EternalRocks worm and found that he uses six NSA tools to infect a computer from SMB ports. The exploits EternalBlue, EternalChampion, EternalRomance, and EternalSynergy as well as SMBTouch and ArchiTouch are used together with DoublePulsar, the well-known NSA tool that promotes the worm to new vulnerable machines.

Comparatively the WannaCry only used EternalBlue and DoublePulsar to spread around 300.000 devices.

Stampar, comparing EternalRocks with WannaCry, admits it is much less dangerous, mainly because it does not provide malicious content. EternalRocks, however, is much more complicated than the global ransomware.

How does it work:

Once the worm infects its victim, it uses a two-step installation process, with the second stage delayed.

In the first phase, EternalRocks downloads the Tor program and sends a signal to a C&C server on the Dark Web. After 24 hours the C&C server sends a response back. This delayed response is a method often used by malware to prevent detection, and even security investigators could stop waiting for a response from the server.

EternalRocks does not seem to use files with the same names as the WannaCry worm, nor does it include any one kill switch domain.

Installing the second stage of EternalRocks involves downloading a file called shadowbrokers.zip. Shadow Brokers, as you may know, is the team that stole NSA's classified documents and records. The worm does an IP scan and tries to connect to a random address.

Right now, EternalRocks is not that dangerous. However, it could be a very serious threat if the attackers decide to arm the worm with ransomware, trojans or anything else.

"EternalRocks, unlike WannaCry, works in the shadows, both on the machine and on the Dark Web. Infected machines cannot be easily detected as there is no pop-up window asking for bitcoins. The use of leaked exploits gathers information such as credentials, passwords used to access websites, personal bank accounts and e-mail accounts, ”explains Paul Calatayud, CTO at FireMon.

"To avoid complete control of this malware, it is important to configure your network to prevent network communications with TOR. Most next-generation firewalls can be configured to block TOR."

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).