EternalRocks Worm Exploits 7 NSA Hacking Tools

CyberCrimeSecuritySecurity ManagementVirus
Worm - Shutterstock - © Eduard Harkonen

Cyber security researchers have identified a potential WannaCry successor

WannaCry looks to have a successor born out of the use of seven allegedly leaked NSA SMB (Server Message Block) hacking tools rather than two. 

Dubbed EternalRocks, the malware in the form of a worm was discovered by Miroslav Stampar, a member of the Coratian Government’s CERT (computer emergency response team), who caught the worm in a SMB honeypot. 

EternalRocks malware

Cyber worm4Like WannaCry, EternalRocks infects Windows PCs via the use of an NSA tool called EternalBlue, but adds a suite of other tools with the Eternal prefix into the mix. 

EternalRocks spreads from machine to machine through the use off the Doublepulsar NSA tool 

Also standing apart from WannaCry is how EternalRocks has yet to be loaded with a malware payload, so lacks WannaCry’s ability to lock files or corrupt penetrated machines.

However, there is certainly scope for the worm to be equipped with malware to wreak havoc like WannaCry, and it leaves a backdoor on infected machines that leave them vulnerable to other malware propagated by other hackers.  

While EternalRocks has not spread very far, according to Stampar, it lacks the kill switch domain of WannaCry and as such may be much harder to bypass or fix if it is weaponised with a malware payload. Furthermore, it has a 24 hour activation delay between it and the control and command server, and uses the same file names as WannaCry, which throws up challenged for security researcher in detecting the worm. 

In its current form, EternalRocks appears to be more of an experimental worm, either kept harmless for research purposes or has been designed to infiltrate vulnerable computers, establish a backdoor, and await the deployment of more dangerous malware that exploits the established security hole. 

“Currently, there are multiple actors scanning for computers running older and unpatched versions of the SMB services. System administrators have already taken notice and started patching vulnerable PCs or disabling the old SMBv1 protocol, slowly reducing the number of vulnerable machines that EternalRocks can infect,” explained security specialist Catalin Cimpanu on the Beeping Computer

 Given the disruption WannaCry wreaked on various organisations, notably the NHS, another worm capable of infecting computers at a global scale will not be a appreciated by security teams. 

Do you know all about security in 2017? Try our quiz!

Click to read the authors bio  Click to hide the authors bio