Slashdot Mirror

← Back to Stories (view on slashdot.org)

New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two (bleepingcomputer.com)

Posted by EditorDavid on from the spreading-spyware dept.

An anonymous reader writes: Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. Named EternalRocks, the worm seems to be in a phase where it is infecting victims and building its botnet, but not delivering any malware payload.

EternalRocks is far more complex than WannaCry's SMB worm. For starters, it uses a delayed installation process that waits 24 hours before completing the install, as a way to evade sandbox environments. Further, the worm also uses the exact same filenames as WannaCry in an attempt to fool researchers of its true origin, a reason why the worm has evaded researchers almost all week, despite the attention WannaCry payloads have received.

Last but not least, the worm does not have a killswitch domain, which means the worm can't be stopped unless its author desires so. Because of the way it was designed, it is trivial for the worm's owner to deliver any type of malware to any of the infected computers. Unfortunately, because of the way he used the DOUBLEPULSAR implant, one of the seven NSA hacking tools, other attackers can hijack its botnet and deliver their own malware as well. IOCs are available in a GitHub repo.
Ars Technica quotes security researchers who say "there are at least three different groups that have been leveraging the NSA exploit to infect enterprise networks since late April... These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch."

61 of 115 comments (clear)

  1. This is windows calling... by Anonymous Coward · · Score: 5, Funny

    Your computer have virus.

    1. Re: This is windows calling... by thundercattt · · Score: 5, Funny

      Sure Windows, you sound legit with your Indian accent. Access as needed. O.....sorry I'm not paying. Btw, you're also locked in a virtualized Windows platform on Debian. Thanks for playing

    2. Re: This is windows calling... by Sir+Holo · · Score: 1

      Sure Windows, you sound legit with your Indian accent. Access as needed. O.....sorry I'm not paying. Btw, you're also locked in a virtualized Windows platform on Debian. Thanks for playing

      Windows is sand-boxed inside of a VM instance for me.

    3. Re:This is windows calling... by DontBeAMoran · · Score: 1

      You've got worm! - AOL

      --
      #DeleteFacebook
    4. Re: This is windows calling... by KiloByte · · Score: 1

      Windows has degraded so badly I don't think anyone competent should run it outside a VM for any purpose other than badly-made games anymore.

      On the other hand, I don't watch TV at all, nor do I play AAA games, so I'm rather ill informed about today's DRM. As for games, everything I've tried recently works fine in wine with issues restricted to details like:

      • * gamepad not detected (around half of gamepad-using games, workaround: can emulate keyboard)
      • * insists on the wrong monitor if fullscreen (actually less frequent than on real Windows)
      • * sound gets choppy after a few hours, need to restart the game to fix (one game)

      As the above issues are way less drastic than what people say about wine, I guess that problems people have are not wine's fault but rather the result of semi-intentional sabotage by DRM that AAA junk tends to be infested with.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    5. Re:This is windows calling... by Barlo_Mung_42 · · Score: 2

      So does this one support Win10? Virus writers seem stuck in the past.

    6. Re: This is windows calling... by Doke · · Score: 1

      I've used Linux desktops and laptops for work for the last 17 years. Most of my co-workers use either Linux or MacOS. I think we have five windows users in the department. One or two others have secondary windows desktops. We mostly work with Solaris and Linux servers, or Junos routers and switches. So having a similar environment on our desktop is very useful. Windows is used in conventional non-tech business, ie banking, insurance, etc. So it's common in the 1st level tech support for those kinds of companies. It's far less prevalent in third level tech support, server support, or companies whose product is technology.

    7. Re: This is windows calling... by Doke · · Score: 1

      I also believe windows is too unreliable to run on bare metal, and should be run in a VM. If nothing else, it lets you roll back to a snapshot before a bad patch. However, Microsoft deliberately makes that difficult. It turns out every time we VMotion a Windows VM, the cpu id changes, and invalidates the OS registration. Then after a month or so, it stops working. We have to re-register it after each move. That pretty much prevents us from using VMware's dynamic balancing. We've never found a way around that limitation.

    8. Re: This is windows calling... by Brockmire · · Score: 1

      Isn't paying for another license the solution? Or different windows enterprise version?

    9. Re:This is windows calling... by Anonymous Coward · · Score: 1

      You're right. Windows 10 isn't a virus, it's malware.

    10. Re: This is windows calling... by KiloByte · · Score: 2

      Are these posters active in the workforce? Every relevant office in the world uses windows.

      My last job where I interacted with any office workers (sales, accountants) ended 5 years ago. It looks like such software has mostly moved inside the browser, too, which trades local deployment problems (a nightmare!) for browser incompatibility issues (MSIE being mostly dead, this seems to be a solved issue). I'm not a web developer, either.

      And in rare cases when I have to test something on Windows, it's the very reason I keep a Windows VM! And more importantly, not just one but a whole array of them. Assuming your company has only 10, 7 and XP, you'd need three physical computers for that task (Windows is notoriously bad for having multiple versions on partitions on the same computer). I, on the other hand, just turn on the relevant VM -- often multiple ones at the same time. And when Windows inevitably fucks itself up, I revert to earlier state with a single command.

      Even in that job in the past where I wrote Windows software, I did it in VMs on a Linux host, for the above reasons.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    11. Re: This is windows calling... by AmiMoJo · · Score: 1

      There was a video on YouTube last year of a guy who managed to convince the scammer that the scammer's own PC was broken and then walking him through how to go into the BIOS and fix it. Of course, the change he made to the BIOS actually made the machine unbootable and possibly unrecoverable.

      Most of the scammers are just working from a script. They don't know anything and are easy to mess with. Must be weird doing that for a living though.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    12. Re: This is windows calling... by Zontar+The+Mindless · · Score: 1

      I haven't used Windows for work or personal reasons in about 12 years. The only exception being about a half-dozen times that I've run it in a VM to see if the Windows version of our product still compiled and ran according to the instructions.

      I am very actively employed at a global top 10 software vendor. Do you think I need to get out more?

      --
      Il n'y a pas de Planet B.
    13. Re:This is windows calling... by Hank+the+Lion · · Score: 1

      Ooh! That's an old one! Haven't seen it in the wild, but I can remember when it was doing the rounds.

    14. Re: This is windows calling... by Highdude702 · · Score: 1

      Sounds like youre at the place to work man! Lucky you. The lot of these poor saps get forced to use shitware.

    15. Re: This is windows calling... by Highdude702 · · Score: 1

      so how many times should they pay for that one install?

    16. Re: This is windows calling... by BronsCon · · Score: 1

      What do the executives use? You know... the relevant office, as far as business is concerned.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    17. Re: This is windows calling... by BoogieChile · · Score: 1

      > Btw, you're also locked in a virtualized Windows platform on Debian.

      You've almost got it right. you just need to add something along the lines of;

      And, just because I consider you one of my really special friends, I've got this really cool little tool tcpdump running on it and hey! Is that your IP address? Huh. I wonder what other those kooky nuts over at /b/ will make of that? ...Oh, he hung up.

    18. Re: This is windows calling... by KiloByte · · Score: 1

      Yeah - windows has no way to run vms, you'd have to use physical partitions for some reason.

      Windows as a host can run VMs, but it really sucks when it comes to managing them. Even the basics you take for granted on Unix, like dd, scp, rsync, are missing, and don't work well if you try anyway. On the other hand, even without any external tools, with nothing but basic qemu+btrfs, on Linux you get thin provisioning, discard, snapshots, deduplication, O(changes) backup, and so on, out of the box.

      Writing software IN a vm for Windows seems bizarrely painful.

      It's strictly less painful than writing outside a VM.

      I get that windows has problems but keeping a clean windows system for visual studio (when I'm doing that) is simply not a problem.

      Try when an external component you're using has two versions that can't be installed in parallel, and you need the old one for some projects, and the new one for others (including preparing upgrades). On an Unix system you'd either fix the component yourself and upstream your changes, or at least install the other version in a chroot. On Windows, there's no reasonable way to do so without VMs.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    19. Re: This is windows calling... by BronsCon · · Score: 1

      You've worked for a lot of companies, haven't you? I mean short stints with security escorts out of the building shortly after your logins stop working.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  2. The Internet's full of SMB worms by rsilvergun · · Score: 1

    Just look at Google. Terrifying, just terrifying.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  3. ooh, i am so outraged by Anonymous Coward · · Score: 1, Insightful

    Be sure to spin rhetoric about "NSA" and "CIA" freakouts harder than the actual technical details, as usual!

    1. Re:ooh, i am so outraged by Anonymous Coward · · Score: 2, Insightful

      Why shouldn't we? The technical details are not of interest to a general audience, and are already available to those who do have a vested interest.

      The bottom line, however, is that the NSA knowingly endangered the entire country by failing to disclose vulnerabilities in our digital infrastructure. The "its not their job" argument is bullshit. They acted unethically (to but it way to mildly), and the people who pay their salaries are now being hacked because of it.

      Not cool.

    2. Re:ooh, i am so outraged by ArmoredDragon · · Score: 1

      Why shouldn't we? The technical details are not of interest to a general audience, and are already available to those who do have a vested interest.

      This is slashdot, whose motto is "news for nerds". Granted, this isn't 2600, but I think getting more to the technical side is at least somewhat warranted.

      I honestly despise slashdot's articles that remain the political realm without getting down to some kind of science or engineering (unless it's some sort of life altering event like 9/11 or something.)

  4. Re:NSA is busy by Anonymous Coward · · Score: 1, Informative

    NSA don't need to craft anything. They just have to read the memo from Microsoft to catch up on where the backdoor was moved to.

  5. The Viri by rmdingler · · Score: 1
    Though it's unlikely there are more malicious exploits out there than there has ever been, they've been getting more mainstream press.

    Why? Is there not enough information to fill the 24 hour news cycle with Trump in the US, Erdogan in Turkey, the Brexit in Europe, ad infinitum...

    Or, and I don't have the tinfoil hat on but it's out of the drawer, will these be used to somehow shunt internet freedoms as the powers that be protect us from another Boogeyman.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:The Viri by XparXnoiaX · · Score: 1

      After heartbleed, security researchers realized you could give a vuln a catchy name and a cute logo and it would get a lot more attention.

      Since being a security company is more a matter of marketing than skill (in a great many cases: look at the most popular anti-viruses), once the white hats realized that, they did it more.

      --
      Irresponsible disclosure is responsible
  6. No qord from the NSA? by Sir+Holo · · Score: 3, Interesting

    Why has the NSA, who know exactly what weaponized exploits were broadcast to the world. . . Why has the NSA not offered-up any antidotes to their now-public weaponization of a bunch of sploits?

    They could swoop in and try to look like the hero here, but there's been no sign of that. Not a peep from the NSA.

    Are they just making popcorn and watching the fallout because they think they are computer GODS, enjoying watching the plebes fight all of these forthcoming worms and trojans just to get themselves off before going back to work reducing the security of the USA by continuing to develop more of the same?

    1. Re:No qord from the NSA? by bengoerz · · Score: 5, Insightful

      Sure, it's just a coincidence that Microsoft released MS17-010 - a patch for multiple NSA-discovered vulnerabilities - several weeks before they were disclosed by Shadow Brokers.

    2. Re:No qord from the NSA? by MSG · · Score: 4, Insightful

      I hate to interrupt a good blame fest, but every Windows computer comes with a program that downloads updates (fixes) from Microsoft and approximately zero Windows computers come with a program that downloads updates from the NSA. So how would the NSA distribute fixes, if they wanted to?

      Microsoft already released fixes, so what makes you think the NSA didn't provide the information needed to the people who are in a position to distribute fixes?

    3. Re:No qord from the NSA? by Anonymous Coward · · Score: 1

      I hate to interrupt a good blame fest, but every Windows computer comes with a program that downloads updates (fixes) from Microsoft and approximately zero Windows computers come with a program that downloads updates from the NSA.

      What if I told you... That one program does both ?

    4. Re:No qord from the NSA? by AmiMoJo · · Score: 2

      They released patches for EternalBlue and related exploits AFTER the ShadowBrokers released them.

      Microsoft didn't release patches for older versions of Windows until the day after the attack on the NHS.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:No qord from the NSA? by amiga3D · · Score: 2

      What really bugs me is that shit continuously leaks out of the NSA. Just pours the fuck out. What do we pay them for? I mean really what use is a spy organization that gets the fuck hacked out of it all the damn time? Billions of dollars and the secrets we pay through the nose to acquire are out for every asshole in the world to use. And not a single damn incompetent cocksucker gets fired! On 9/11 we get hit by fuckers that they knew were here, they had a report they were learning to fly but weren't interested in how to take off or land a Jumbo Jet, and no one lost their job despite one of the greatest Intel FAILS of all time. I think it's time to do something about Americas spy organizations that only seem to be fit to spy on Americans.

    6. Re:No qord from the NSA? by ChumpusRex2003 · · Score: 1

      The EternalBlue patch was released on 14 March for supported OSs and for customers with custom support for older OSs. Shadow Brokers released EternalBlue on 14 April.

      EternalBlue patches for older OSs were made generally available on 15 May, 3 days after Wannacry attacks were reported on a large scale. This is despite the fact that the exploit Wannacry used for the EternalBlue vulnerability failed to work on XP due to differences in the OS.

    7. Re:No qord from the NSA? by bengoerz · · Score: 1

      Correct.

      Microsoft patching older OSes that are no longer supported was a free gift. Any business running XP or Server 2003 without a custom support contract is taking a big risk gamble.

      I realize Slashdot loves to hate MS - and their war on Linux was good motivation - but MS really acted responsively on WannaCry.

  7. Re:Unix-based by mspohr · · Score: 1

    No.

    --
    I don't read your sig. Why are you reading mine?
  8. liability by Anonymous Coward · · Score: 1, Insightful

    Make commercial software companies legally liable.

    1. Re:liability by mentil · · Score: 1

      Just add verbiage to the clickwrap saying "we're not legally liable. also, binding arbitration." Oh wait the clickwrap already says that. You mean a new law that mandates liability? Simple, contracts say "you agree to keep this machine airgapped" in a 'crumple-zone' clause that everyone expects to be violated yet is designed to not affect the rest of the contract when it is. Ok MS agreed to provide a secure product... but only those who violated the contract were infected and could be party to a class-action suit, opening the door for them to be countersued. Make it VERY public and clear that anyone who sues them for infection liability WILL be countersued for every penny by a larger team of higher-paid lawyers.

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  9. Glad I killed off SMB v.1 by Anonymous Coward · · Score: 5, Informative

    If you haven't looked into it yet and you're running Windows 7 and above, disable SMB v.1 on Windows as server or client. There's not much reason to maintain it unless you have older hardware/software that relies on it (XP, Windows Server 2003). v.1 is slower and completely replaced by SMB v.2 and v.3.

    1. Re:Glad I killed off SMB v.1 by jbmartin6 · · Score: 1

      This is a good idea anyway, since there are several exploits in SMBv1 which were patched in the May 2017 release. i.e. after MS17-010 was released. So SMBv1 is getting a lot of extra attention, and there is still more ground for hi jinx there. I believe it is disabled by default in server 2012 R2

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  10. Re:No word from the NSA? by phayes · · Score: 5, Insightful

    Wakey wakey sleepyhead....

    When the NSA realized that the code had been stolen & likely to be released, they communicated the SMB bug to Microsoft who then released patches for their "maintained" OS's two months ago. It is because of this that they were able to release patches for their out of maintenance OSes as soon as Wannacry started spreading.

    Did you just imply that if the NSA said "here's a patch, please apply it globally" that you would apply it blindly?!? I'm not one of the people calling for the NSA to be the world's beta testing organization by buying up all the bugs on the internet & then handing them off to makers so that they patch their code, but even I wouldn't apply a NSA patch blindly like that.

    The NSA is not Trump with hourly Twitter updates direct from them to the world. They'll always communicate through proxies.

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  11. Re:All car has always a backdoor, the 3rd or 5th d by bengoerz · · Score: 1

    Or everybody could just quit panicking and patch their systems.

  12. Useful Info by jasnw · · Score: 1

    Every time another "ogodtheskyisfalling" article comes out covering a new/improved malware based on the leaked NSA toolbox I'm looking for a quick summary early in the article that says "this beastie will be a problem for Windows, probably Win7 and earlier; will not be a problem for Linux; probably won't be a problem for OS X." Or even a simple 0-10 ranking of "no problemo" to "burn your computer NOW!" for each of the three major platforms placed somewhere prominent in the article would be nice. For my less-techie friends/relatives who get all hyped up with every new WormKillerTorpedoBot_Comrade exploit, it could give them an idea if they should be worried and figure out what to do, or not. For me, I can avoid reading pages and pages of turgid tech-prose about something that, not running anything on Windows, I don't need to care about. So how about it Tech Pundits of America, how about a little help here?

  13. They are waiting by future+assassin · · Score: 1

    for the system to be infected then take them over from the virus writers discretely

    --
    by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
  14. Dear NSA, by fahrbot-bot · · Score: 1

    What goes around is apparently coming around - thanks a lot for that.
    Seems that whole "(our) security through (your) obscurity" thing has a few wrinkles in it.

    Sincerely,
    The people you're supposed to be protecting.

    --
    It must have been something you assimilated. . . .
  15. I've configured my firewall by Snotnose · · Score: 1

    TCP port 137, 139, and 445 are blocked, UDP ports 137 and 138 are blocked. So am I safe?

    I've got a printer and NAS on my network, I know the printer uses SMB but not sure of the NAS.

    1. Re:I've configured my firewall by phantomfive · · Score: 1

      Block every port.

      --
      "First they came for the slanderers and i said nothing."
  16. Re:All car has always a backdoor, the 3rd or 5th d by TheFakeTimCook · · Score: 1

    Or everybody could just quit panicking and patch their systems.

    I tried.

    I downloaded MS17-010 for 64 bit Win 7 (which I run in my work laptop), and after churning for a few mins, it said that the Update Wasn't Installed.

    So I simply disabled SMB1 and am hoping for the best.

    If anyone has any ideas, I'd love to hear them!

  17. Sonos requires SMB1 for locally-stored content by Constantin · · Score: 3, Interesting

    Ned Pyle and others have eloquently described why everyone should drop SMB1 support, yet NAS suppliers and Sonos continue to ship products that use SMB1.

    Despite being deprecated by MSFT for years, SMB1 is alive and well with Sonos. There is no SMB2+ support, there is no timeline nor any commitment to add SMB2+ support. Please note: this issue only affects those that use Sonos with a local file server such as a NAS, your PC, etc. to store the music library and then make it accessible via the LAN.

    I don't understand how a company that prides itself on making premium audio products doesn't put security ahead of other software development priorities. One juicy scandal can cause way more damage than the modest cost of implementing readily-available SMB2-3.11 server/client software packages.

    SMB1 support on the Sonos, if allowed at all, should be on a opt-in basis, with adequate warnings to consumers re: potential pitfalls. Modern incarnations of SMB servers have NTLM v1 and SMB1 support turned off by default for a reason.

    1. Re:Sonos requires SMB1 for locally-stored content by bill_mcgonigle · · Score: 1

      "We can't upgrade the servers because we have some crappy old photocopiers."

      You know who says things like that? People who get WanaCry outbreaks in their systems.

      You can't have your cake and eat it too.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  18. Re: Unix-based by Brockmire · · Score: 1

    Years ago, hackers leveraged Google alerts to find JBOSS servers on the Internet so they could be hacked. Hard to detect these things.

  19. One of these days by mark_reh · · Score: 1

    some talented hacker will turn their attention to wiping out all records of student loans and consumer debt. Heck, maybe even mortgages.

    We can only hope...

    1. Re:One of these days by Mal-2 · · Score: 1

      A 21st century Fight Club?

      --
      How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
  20. Re:Unix-based by AHuxley · · Score: 1

    Depends what the staging server was used for and what was found in the wild. Everything or just Windows?

    --
    Domestic spying is now "Benign Information Gathering"
  21. Re:Unix-based by Anonymous Coward · · Score: 1

    If you only followed the news in the past month, you'd notice that Windows vulnerabilities and attack tools were only dumped just after Linux/Solaris/MacOS/Android exploit tools were released by the same group, ShadowBrokers.

  22. Depends on the sector by DrYak · · Score: 1

    Are these posters active in the workforce? Every relevant office in the world uses windows.
    {...} But out here in the functional world, windows is everywhere.

    Depends of the field you work.
    Academic research ?
    Specially in fields like computational biology ?
    It's going to be exclusively UNIX.
    With Mac OS X being a bit more popular on the laptops and workstations of the researchers,
    and Linux having monopoly on the servers and compute nodes.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  23. F the NSA by WCMI92 · · Score: 1, Insightful

    They are an enemy of the United States. Arrest them and take their computers.

    --
    Corporatism != Free Market
  24. Re:Protect yourself vs. SMB1 attacks easily by Constantin · · Score: 1

    That's great advice but see my note below, if you want to run a Sonos from a file server as intended, you have to have SMB1 (NT1) enabled on that file server, which means also enabling NTLM v1 authentication.

    Yes, there is a complicated workaround by using Plex or subsonic as a means of feeding the Sonos data without the need for SMB1 insecurity, but implementing this system is not the faint of heart. Plus, with every new service enabled on the server, you add more potential exploits.

    All I want is to be able to enable SMB 3+ on my home file server or shut it off altogether. Presently, the best solution may be to use a burner file server just for the Sonos with one-way updates. Nuts!

  25. Stop choosing non-freedom. by jbn-o · · Score: 1

    Despite being deprecated by MSFT for years, SMB1 is alive and well with Sonos. There is no SMB2+ support, there is no timeline nor any commitment to add SMB2+ support.

    I'm not familiar with this product or Sonos but this sounds proprietary.

    I don't understand how a company that prides itself on making premium audio products doesn't put security ahead of other software development priorities. One juicy scandal can cause way more damage than the modest cost of implementing readily-available SMB2-3.11 server/client software packages.

    Not reimplementing any part of the product is more profitable and most computer users are non-technical so they don't understand what SMB is let alone which revision is known to be insecure. Users should be advised to liberate themselves from Sonos' control over the user's computers; seek other ways to play the audio, ways that respect a user's freedom to run, modify, and share (including commercially). Perhaps reconsider Sonos if they distribute products that respect a user's software freedom. After all, if the security issues you describe are important enough that should be sufficient justification to seek the freedoms you deserve with or without Sonos' help.

    --
    Digital Citizen
  26. Re:All car has always a backdoor, the 3rd or 5th d by bengoerz · · Score: 1

    Disabling SMB1 is not enough to stop the EternalRocks worm, which includes the EternalChampion (SMB2) and EternalSynergy (SMB3) exploits.

  27. Re:All car has always a backdoor, the 3rd or 5th d by TheFakeTimCook · · Score: 1

    Disabling SMB1 is not enough to stop the EternalRocks worm, which includes the EternalChampion (SMB2) and EternalSynergy (SMB3) exploits.

    Have I mentioned that I hate Windows?