While the world was responding to the WannaCry attack—which only utilized the EternalBlue exploit and the DoublePulsar backdoor—researchers discovered another piece of malware, EternalRocks, which actually exploits seven different Windows vulnerabilities
Miroslav Stamper, a security researcher at the Croatian Government CERT, first discovered EternalRocks. This new malware is far more dangerous than WannaCry. Unlike WannaCry, EternalRocks has no kill switch and is designed in such a way that it‘s nearly undetectable on afflicted systems.
Stamper found this worm after it hit his Server Message Block (SMB) honeypot. After doing some digging, Stampar discovered that EternalRocks disguises itself as WannaCry to fool researchers, but instead of locking files and asking for ransom, EternalRocks gains unauthorized control on the infected computer to launch future cyber attacks.
How dangerous is EternalRocks?
When EternalRocks hits a computer, it downloads a Tor browser and connects that computer to its command and control (C&C) server located in an unidentified location in the web. To avoid detection, EternalRocks stays dormant in the infected computer for 24 hours before activating and communicating with its C&C server.
In the early stages of the attack, EternalRocks shares an archive containing all seven exploits with its C&C sever, then downloads a component called svchost.exe to execute all other actions and take over the infected system. Once that’s done, EternalRocks searches for open SMB ports to infect other vulnerable computers.
One of the main features of EternalRocks is that it can turn into any major cyber weapon after successfully hijacking a system. For instance, it can be converted into either ransomware or a trojan to cause more damage.
EternalRocks exploits seven vulnerabilities, including:
- EternalBlue — SMBv1 exploit tool
- EternalRomance — SMBv1 exploit tool
- EternalChampion — SMBv2 exploit tool
- EternalSynergy — SMBv3 exploit tool
- SMBTouch — SMB reconnaissance tool
- ArchTouch — SMB reconnaissance tool
- DoublePulsar — Backdoor trojan
EternalBlue, EternalChampion, EternalSynergy, and EternalRomance are designed to exploit vulnerable computers, while DoublePulsar is used to spread the worm across networks. EternalRocks is far deadlier than WannaCry. Security professionals have even named it the “Doomsday Worm.”
Escape cyber threats with proper patch management practices
With new malware being unleashed everyday since WannaCry, enterprises are looking for security solutions which can help them stay secure in spite of all these attacks. Experts suggest employing proper patch management procedures can keep your network and devices safe from any unwanted security breaches
First WannaCry, then Adylkuzz, and now EternalRocks—all due to a single leak of NSA hacking tools. The whole world witnessed WannaCry’s impact when it used just two SMB vulnerabilities; imagine what EternalRocks can do with seven. Security researchers are still investigating EternalRocks. Until they neutralize the threat, you can stay safe and secure by staying on top of patch management.
First published in Data Center Knowledge.