New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

An anonymous reader writes: Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. Named EternalRocks, the worm seems to be in a phase where it is infecting victims and building its botnet, but not delivering any malware payload.

EternalRocks is far more complex than WannaCry's SMB worm. For starters, it uses a delayed installation process that waits 24 hours before completing the install, as a way to evade sandbox environments. Further, the worm also uses the exact same filenames as WannaCry in an attempt to fool researchers of its true origin, a reason why the worm has evaded researchers almost all week, despite the attention WannaCry payloads have received.

Last but not least, the worm does not have a killswitch domain, which means the worm can't be stopped unless its author desires so. Because of the way it was designed, it is trivial for the worm's owner to deliver any type of malware to any of the infected computers. Unfortunately, because of the way he used the DOUBLEPULSAR implant, one of the seven NSA hacking tools, other attackers can hijack its botnet and deliver their own malware as well. IOCs are available in a GitHub repo.
Ars Technica quotes security researchers who say "there are at least three different groups that have been leveraging the NSA exploit to infect enterprise networks since late April... These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch."

This is windows calling...

Your computer have virus.

Re: This is windows calling...

[thundercattt]

Sure Windows, you sound legit with your Indian accent. Access as needed. O.....sorry I'm not paying. Btw, you're also locked in a virtualized Windows platform on Debian. Thanks for playing

Glad I killed off SMB v.1

If you haven't looked into it yet and you're running Windows 7 and above, disable SMB v.1 on Windows as server or client. There's not much reason to maintain it unless you have older hardware/software that relies on it (XP, Windows Server 2003). v.1 is slower and completely replaced by SMB v.2 and v.3.

Re:No qord from the NSA?

[bengoerz]

Sure, it's just a coincidence that Microsoft released MS17-010 - a patch for multiple NSA-discovered vulnerabilities - several weeks before they were disclosed by Shadow Brokers.

Re:No word from the NSA?

[phayes]

Wakey wakey sleepyhead....

When the NSA realized that the code had been stolen & likely to be released, they communicated the SMB bug to Microsoft who then released patches for their "maintained" OS's two months ago. It is because of this that they were able to release patches for their out of maintenance OSes as soon as Wannacry started spreading.

Did you just imply that if the NSA said "here's a patch, please apply it globally" that you would apply it blindly?!? I'm not one of the people calling for the NSA to be the world's beta testing organization by buying up all the bugs on the internet & then handing them off to makers so that they patch their code, but even I wouldn't apply a NSA patch blindly like that.

The NSA is not Trump with hourly Twitter updates direct from them to the world. They'll always communicate through proxies.