New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

An anonymous reader writes: Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. Named EternalRocks, the worm seems to be in a phase where it is infecting victims and building its botnet, but not delivering any malware payload.

EternalRocks is far more complex than WannaCry's SMB worm. For starters, it uses a delayed installation process that waits 24 hours before completing the install, as a way to evade sandbox environments. Further, the worm also uses the exact same filenames as WannaCry in an attempt to fool researchers of its true origin, a reason why the worm has evaded researchers almost all week, despite the attention WannaCry payloads have received.

Last but not least, the worm does not have a killswitch domain, which means the worm can't be stopped unless its author desires so. Because of the way it was designed, it is trivial for the worm's owner to deliver any type of malware to any of the infected computers. Unfortunately, because of the way he used the DOUBLEPULSAR implant, one of the seven NSA hacking tools, other attackers can hijack its botnet and deliver their own malware as well. IOCs are available in a GitHub repo.
Ars Technica quotes security researchers who say "there are at least three different groups that have been leveraging the NSA exploit to infect enterprise networks since late April... These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch."

No qord from the NSA?

[Sir+Holo]

Why has the NSA, who know exactly what weaponized exploits were broadcast to the world. . . Why has the NSA not offered-up any antidotes to their now-public weaponization of a bunch of sploits?

They could swoop in and try to look like the hero here, but there's been no sign of that. Not a peep from the NSA.

Are they just making popcorn and watching the fallout because they think they are computer GODS, enjoying watching the plebes fight all of these forthcoming worms and trojans just to get themselves off before going back to work reducing the security of the USA by continuing to develop more of the same?

Sonos requires SMB1 for locally-stored content

[Constantin]

Ned Pyle and others have eloquently described why everyone should drop SMB1 support, yet NAS suppliers and Sonos continue to ship products that use SMB1.

Despite being deprecated by MSFT for years, SMB1 is alive and well with Sonos. There is no SMB2+ support, there is no timeline nor any commitment to add SMB2+ support. Please note: this issue only affects those that use Sonos with a local file server such as a NAS, your PC, etc. to store the music library and then make it accessible via the LAN.

I don't understand how a company that prides itself on making premium audio products doesn't put security ahead of other software development priorities. One juicy scandal can cause way more damage than the modest cost of implementing readily-available SMB2-3.11 server/client software packages.

SMB1 support on the Sonos, if allowed at all, should be on a opt-in basis, with adequate warnings to consumers re: potential pitfalls. Modern incarnations of SMB servers have NTLM v1 and SMB1 support turned off by default for a reason.