Following the mass destruction across the globe by a heinous malware “WannaCry”, a new strain of worm malware “EternalRocks” is here and is said to be even more dangerous and hazardous than its predecessor.
Just like WannaCry, which exploited the vulnerability in Windows by spreading through SMB, EternalRocks follow the same route. This worm is considered as a doomsday which could attack your computer unexpectedly.
As per researchers, it has now been confirmed that EternalRocks uses seven leaked National Security Agency tools, unlike WannaCry which exploited just two. EternalRocks came into talks last Wednesday when it infected the SMB honeypot of Miroslav Stampar a cyber security expert for Croatia’s CERT.
It is been named as “DoomsDayWorm” by Miroslav Stampar and is considered stronger than WannaCry. Unlike WannaCry it does not have a kill switch.
These 7 NSA tools are leaked by Shadow Brokers group and used by the worm are mentioned below:
EternalBlue — SMBv1 exploit tool
EternalRomance — SMBv1 exploit tool
EternalChampion — SMBv2 exploit tool
EternalSynergy — SMBv3 exploit tool
SMBTouch — SMB reconnaissance tool
ArchTouch — SMB reconnaissance tool
DoublePulsar — Backdoor Trojan
Out of these 7 NSA tools two are used by WannaCry namely EternalBlue and DoublePulsar.
EternalBlue, EternalRomance, EternalChanpion and EternalSynergy are SMB exploits designed for compromising the vulnerable Windows computers.
SMBTouch and ArchTouch tools are used for SMB reconnaissance operations, the main role of which is to scan for open SMB ports on the public network.
DoublePulsar helps in spreading the worm from one computer to another across the same network.
No evidence of EternalRocks containing any malicious elements has been found which locks or encrypt computer. However, it infects computers leaving them vulnerable to remote commands, which can be used as weapons to spread infection when required. Unlike WannaCry, EternalRocks installs on a computer in a much silent manner and remains hidden.
It gets installed on the computer in two stages.
In the first stage, EternalRocks downloads a browser named Tor which then connects itself to its Command-and-Control(C&C) server located on the Tor network on the Dark Web.
The second stage comes in after 24 hours, after which the C&C server responds. This delay majorly focuses on bypassing the sandboxing security testing and making EternalRocks responds to the C&C server thus downloading all the seven SMB exploits.
It then spreads itself by scanning the Internet for open SMB ports.
Due to its stealth nature, dormancy and lack of a kill switch, EternalRocks poses a serious threat to computers having weak SMB ports exposed to the Internet. As the nature of this worm is ambiguous it is hard to decide as to what this worm will be weaponized into. It can be weaponized with ransomware or a banking Trojan or anything else.
Computers infected by this dreadful worm are controlled by C&C server commands. The machines infected by EternalRocks can be used to circulate new malware.
Though it is unclear how many computers have been infected by this lethal worm, we know that its consequences will worsen with each passing day.
It is highly recommended that companies and individuals be aware of it and safeguard their computers with an updated anti-malware software.