EternalRocks Worm

Have you heard about the EternalRocks Worm which exploits the same SMB vulnerability in Mircosoft Windows Systems as WannaCry?

This worm includes far more threats than WannaCry, making it potentially tougher to remediate. Unlike the WannaCry ransomware which uses two of the SMB exploits ETERNALBLUE and DOUBLEPULSAR, EternalRocks uses all the seven NSA SMB exploit tools that was released by the Shadow Brokers (a group of hackers that leaked the NSA hacking tools among other several leaks) to identify vulnerable systems to exploit;

1. ARCHITOUCH
2. SMBTOUCH
3. DOUBLEPULSAR
4. ETERNALBLUE
5. ETERNALCHAMPION
6. ETERNALROMANCE
7. ETERNALSYNERGY

The ARCHITOUCH and SMBTOUCH are SMB reconnaissance tool that scans for open SMB port, while ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE and ETERNALSYNERGY are SMB exploit tools designed to exploit vulnerable computers, and DOUBLEPULSAR is what is used to spread the worm from the affected computer to other vulnerable computers across the same network.

In its current form, EternalRocks is dormant and does not lock, encrypt or corrupt data at the moment. But that is not particularly reassuring because it has the potential to spread faster and infect more systems leaving them vulnerable to remote commands that could ‘weaponize’ them for attacks.

Here’s How EternalRocks Attack Works:

EternalRocks uses a two-stage process for its installation on the vulnerable system:

First stage, it downloads the Tor web browser on the affected computer and then use it to connect to its command-and-control server located on the Tor network on the Dark Web. The first stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary.NET components (for later stages), TaskScheduler and SharpZLib from the Internet, while dropping svchost.exe and taskhost.exe.

The second stage comes with a delay of 24 hours in an attempt to avoid sandboxing techniques, making the worm infection undetectable. After 24 hours, EternalRocks responds to the command-and-control server with an archive containing the seven Windows SMB exploits.

It uses the component svchost.exe for downloading, unpacking and running Tor from archive.torproject.org along with command-and-control server (ubgdgno5eswkhmpy.onion) communication requesting further instructions (e.g. installation of new components). All the seven SMB exploits are then downloaded to the infected computer. It then scans the internet for open SMB ports to spread itself to other vulnerable systems as well.

Defensive measures

This is far much more a dangerous string of malware. It may not be so much out there in the news until things later start to go down the drain but the outbreak is there in the cyberspace and the best advice remains the same as it did when the outbreak began:

To guard against malware exploiting Microsoft vulnerabilities:

• Stay on top of all patch releases and apply them regularly.
• If at all possible, replace older Windows systems with the latest versions.
• Be extremely suspicious of all emails particularly those containing attachments or web links which you might be asked to open.If you are not sure of the source of an email, DO NOT OPEN links or any attachments in it. Simply delete such emails.
• Regularly backup critical files offline.