Home World EternalRocks: It’s more dangerous than WannaCry

EternalRocks: It’s more dangerous than WannaCry

5 min read
EternalRocks: It's more dangerous than WannaCry

Originally discovered by the Croatian National Computer Emergency Response Team, the worm exploits the same Server Message Block (SMB) protocol flaw in all Windows machines, dating as far back as XP. Named EternalRocks, the malware is one of several tools stolen from the NSA last year and propagated on Github, the world’s largest code-sharing network, by hacker group TheShadowBrokers.

The basket include apps that attack vulnerabilities in Sendmail on Redhat Linux, IBM Lotus Notes and Lotus Domino, Internet Information Services (IIS) on Windows, as well as numerous exploits for the aforementioned SMB protocol.

Running the exploits against vulnerable machines will give an attacker remote access to the target’s file system, after which they can install ransomware (as with the earlier WannaCry outbreak), or hidden cryptocurrency miners (last week’s Adylkuzz). Most attacks will also commonly include DoublePulsar in their payload, which installs a backdoor on the machine and then spreads itself to others on the network.

EternalRocks Is Harder to Detect

Unlike WannaCry, which used the EternalBlue worm, the EternalRocks strategy evades detection even from most security researchers.

It does this through a two-stage installation process, by first installing a Tor client and requesting further instructions from a URL on the dark web, a strategy known as C&C or “Command and control” communication. Typically, a worm infects a machine then awaits further instructions and new payloads from its control server.

However, in the case of EternalRocks, the C&C server doesn’t respond for 24 hours, which would lead security researchers to mistakenly believe that the server is dead and that the trail has gone cold.

The payload from EternalRocks’ Control server includes a 4mb ZIP file named “shadowbrokers.zip” that unpacks itself on the host machine, and immediately begins scanning for other machines to infect.

Infected Machines Are Awaiting Instructions

Perhaps the most frightening thing about the EternalRocks exploit is that all it currently does is propagate itself to as many machines as possible. Because the infected machines just wait for new payloads from their control server, the worm doesn’t modify its host in any easily discernible way. However, once the propagation has reached a large enough number of machines, it represents a valuable network resource that the attackers could harness any number of ways, possibly by turning them into botnets, or by ransoming them all at once.

Even more concerning, the DoublePulsar backdoor is left open to any attacker, not just the EternalRocks originators. A machine infected with DoubePulsar would accept new payloads from any source, effectively turning it into a Petri dish of computer malware.

The race is on for systems administrators to urge their networks against the various NSA exploits in the wild. However, security researchers advise that the Windows SMB patch may no longer be enough. Administrators must also sweep their systems for evidence of DoublePulsar or EternalRocks, because once either of those have been installed, it will be too late.

Comment Below

Load More Related Articles
Load More By Abhinav Tyagi
Load More In World

Check Also

Essential Smartphone with Minimum Bessel is here by the father of Android

2017 is the year of the slim-bezel smartphone, and the latest to enter the fray is Andy Ru…