New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

An anonymous reader writes: Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. Named EternalRocks, the worm seems to be in a phase where it is infecting victims and building its botnet, but not delivering any malware payload.

EternalRocks is far more complex than WannaCry's SMB worm. For starters, it uses a delayed installation process that waits 24 hours before completing the install, as a way to evade sandbox environments. Further, the worm also uses the exact same filenames as WannaCry in an attempt to fool researchers of its true origin, a reason why the worm has evaded researchers almost all week, despite the attention WannaCry payloads have received.

Last but not least, the worm does not have a killswitch domain, which means the worm can't be stopped unless its author desires so. Because of the way it was designed, it is trivial for the worm's owner to deliver any type of malware to any of the infected computers. Unfortunately, because of the way he used the DOUBLEPULSAR implant, one of the seven NSA hacking tools, other attackers can hijack its botnet and deliver their own malware as well. IOCs are available in a GitHub repo.
Ars Technica quotes security researchers who say "there are at least three different groups that have been leveraging the NSA exploit to infect enterprise networks since late April... These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch."

ooh, i am so outraged

Be sure to spin rhetoric about "NSA" and "CIA" freakouts harder than the actual technical details, as usual!

Re:ooh, i am so outraged

Why shouldn't we? The technical details are not of interest to a general audience, and are already available to those who do have a vested interest.

The bottom line, however, is that the NSA knowingly endangered the entire country by failing to disclose vulnerabilities in our digital infrastructure. The "its not their job" argument is bullshit. They acted unethically (to but it way to mildly), and the people who pay their salaries are now being hacked because of it.

Not cool.

liability

Make commercial software companies legally liable.

Re:No qord from the NSA?

[bengoerz]

Sure, it's just a coincidence that Microsoft released MS17-010 - a patch for multiple NSA-discovered vulnerabilities - several weeks before they were disclosed by Shadow Brokers.

Re:No word from the NSA?

[phayes]

Wakey wakey sleepyhead....

When the NSA realized that the code had been stolen & likely to be released, they communicated the SMB bug to Microsoft who then released patches for their "maintained" OS's two months ago. It is because of this that they were able to release patches for their out of maintenance OSes as soon as Wannacry started spreading.

Did you just imply that if the NSA said "here's a patch, please apply it globally" that you would apply it blindly?!? I'm not one of the people calling for the NSA to be the world's beta testing organization by buying up all the bugs on the internet & then handing them off to makers so that they patch their code, but even I wouldn't apply a NSA patch blindly like that.

The NSA is not Trump with hourly Twitter updates direct from them to the world. They'll always communicate through proxies.

Re:No qord from the NSA?

[MSG]

I hate to interrupt a good blame fest, but every Windows computer comes with a program that downloads updates (fixes) from Microsoft and approximately zero Windows computers come with a program that downloads updates from the NSA. So how would the NSA distribute fixes, if they wanted to?

Microsoft already released fixes, so what makes you think the NSA didn't provide the information needed to the people who are in a position to distribute fixes?

F the NSA

[WCMI92]

They are an enemy of the United States. Arrest them and take their computers.