Slashdot Mirror

← Back to Stories (view on slashdot.org)

New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two (bleepingcomputer.com)

Posted by EditorDavid on from the spreading-spyware dept.

An anonymous reader writes: Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. Named EternalRocks, the worm seems to be in a phase where it is infecting victims and building its botnet, but not delivering any malware payload.

EternalRocks is far more complex than WannaCry's SMB worm. For starters, it uses a delayed installation process that waits 24 hours before completing the install, as a way to evade sandbox environments. Further, the worm also uses the exact same filenames as WannaCry in an attempt to fool researchers of its true origin, a reason why the worm has evaded researchers almost all week, despite the attention WannaCry payloads have received.

Last but not least, the worm does not have a killswitch domain, which means the worm can't be stopped unless its author desires so. Because of the way it was designed, it is trivial for the worm's owner to deliver any type of malware to any of the infected computers. Unfortunately, because of the way he used the DOUBLEPULSAR implant, one of the seven NSA hacking tools, other attackers can hijack its botnet and deliver their own malware as well. IOCs are available in a GitHub repo.
Ars Technica quotes security researchers who say "there are at least three different groups that have been leveraging the NSA exploit to infect enterprise networks since late April... These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch."

13 of 115 comments (clear)

  1. This is windows calling... by Anonymous Coward · · Score: 5, Funny

    Your computer have virus.

    1. Re: This is windows calling... by thundercattt · · Score: 5, Funny

      Sure Windows, you sound legit with your Indian accent. Access as needed. O.....sorry I'm not paying. Btw, you're also locked in a virtualized Windows platform on Debian. Thanks for playing

    2. Re:This is windows calling... by Barlo_Mung_42 · · Score: 2

      So does this one support Win10? Virus writers seem stuck in the past.

    3. Re: This is windows calling... by KiloByte · · Score: 2

      Are these posters active in the workforce? Every relevant office in the world uses windows.

      My last job where I interacted with any office workers (sales, accountants) ended 5 years ago. It looks like such software has mostly moved inside the browser, too, which trades local deployment problems (a nightmare!) for browser incompatibility issues (MSIE being mostly dead, this seems to be a solved issue). I'm not a web developer, either.

      And in rare cases when I have to test something on Windows, it's the very reason I keep a Windows VM! And more importantly, not just one but a whole array of them. Assuming your company has only 10, 7 and XP, you'd need three physical computers for that task (Windows is notoriously bad for having multiple versions on partitions on the same computer). I, on the other hand, just turn on the relevant VM -- often multiple ones at the same time. And when Windows inevitably fucks itself up, I revert to earlier state with a single command.

      Even in that job in the past where I wrote Windows software, I did it in VMs on a Linux host, for the above reasons.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  2. Re:ooh, i am so outraged by Anonymous Coward · · Score: 2, Insightful

    Why shouldn't we? The technical details are not of interest to a general audience, and are already available to those who do have a vested interest.

    The bottom line, however, is that the NSA knowingly endangered the entire country by failing to disclose vulnerabilities in our digital infrastructure. The "its not their job" argument is bullshit. They acted unethically (to but it way to mildly), and the people who pay their salaries are now being hacked because of it.

    Not cool.

  3. No qord from the NSA? by Sir+Holo · · Score: 3, Interesting

    Why has the NSA, who know exactly what weaponized exploits were broadcast to the world. . . Why has the NSA not offered-up any antidotes to their now-public weaponization of a bunch of sploits?

    They could swoop in and try to look like the hero here, but there's been no sign of that. Not a peep from the NSA.

    Are they just making popcorn and watching the fallout because they think they are computer GODS, enjoying watching the plebes fight all of these forthcoming worms and trojans just to get themselves off before going back to work reducing the security of the USA by continuing to develop more of the same?

    1. Re:No qord from the NSA? by bengoerz · · Score: 5, Insightful

      Sure, it's just a coincidence that Microsoft released MS17-010 - a patch for multiple NSA-discovered vulnerabilities - several weeks before they were disclosed by Shadow Brokers.

    2. Re:No qord from the NSA? by MSG · · Score: 4, Insightful

      I hate to interrupt a good blame fest, but every Windows computer comes with a program that downloads updates (fixes) from Microsoft and approximately zero Windows computers come with a program that downloads updates from the NSA. So how would the NSA distribute fixes, if they wanted to?

      Microsoft already released fixes, so what makes you think the NSA didn't provide the information needed to the people who are in a position to distribute fixes?

    3. Re:No qord from the NSA? by AmiMoJo · · Score: 2

      They released patches for EternalBlue and related exploits AFTER the ShadowBrokers released them.

      Microsoft didn't release patches for older versions of Windows until the day after the attack on the NHS.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:No qord from the NSA? by amiga3D · · Score: 2

      What really bugs me is that shit continuously leaks out of the NSA. Just pours the fuck out. What do we pay them for? I mean really what use is a spy organization that gets the fuck hacked out of it all the damn time? Billions of dollars and the secrets we pay through the nose to acquire are out for every asshole in the world to use. And not a single damn incompetent cocksucker gets fired! On 9/11 we get hit by fuckers that they knew were here, they had a report they were learning to fly but weren't interested in how to take off or land a Jumbo Jet, and no one lost their job despite one of the greatest Intel FAILS of all time. I think it's time to do something about Americas spy organizations that only seem to be fit to spy on Americans.

  4. Glad I killed off SMB v.1 by Anonymous Coward · · Score: 5, Informative

    If you haven't looked into it yet and you're running Windows 7 and above, disable SMB v.1 on Windows as server or client. There's not much reason to maintain it unless you have older hardware/software that relies on it (XP, Windows Server 2003). v.1 is slower and completely replaced by SMB v.2 and v.3.

  5. Re:No word from the NSA? by phayes · · Score: 5, Insightful

    Wakey wakey sleepyhead....

    When the NSA realized that the code had been stolen & likely to be released, they communicated the SMB bug to Microsoft who then released patches for their "maintained" OS's two months ago. It is because of this that they were able to release patches for their out of maintenance OSes as soon as Wannacry started spreading.

    Did you just imply that if the NSA said "here's a patch, please apply it globally" that you would apply it blindly?!? I'm not one of the people calling for the NSA to be the world's beta testing organization by buying up all the bugs on the internet & then handing them off to makers so that they patch their code, but even I wouldn't apply a NSA patch blindly like that.

    The NSA is not Trump with hourly Twitter updates direct from them to the world. They'll always communicate through proxies.

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  6. Sonos requires SMB1 for locally-stored content by Constantin · · Score: 3, Interesting

    Ned Pyle and others have eloquently described why everyone should drop SMB1 support, yet NAS suppliers and Sonos continue to ship products that use SMB1.

    Despite being deprecated by MSFT for years, SMB1 is alive and well with Sonos. There is no SMB2+ support, there is no timeline nor any commitment to add SMB2+ support. Please note: this issue only affects those that use Sonos with a local file server such as a NAS, your PC, etc. to store the music library and then make it accessible via the LAN.

    I don't understand how a company that prides itself on making premium audio products doesn't put security ahead of other software development priorities. One juicy scandal can cause way more damage than the modest cost of implementing readily-available SMB2-3.11 server/client software packages.

    SMB1 support on the Sonos, if allowed at all, should be on a opt-in basis, with adequate warnings to consumers re: potential pitfalls. Modern incarnations of SMB servers have NTLM v1 and SMB1 support turned off by default for a reason.