EternalRocks Worm Exploits 7 NSA Hacking Tools2017-05-22 16:40 by Daniela
Tags: EternalRocks, NSA, worm
A few weeks after WannaCry ransomware started attacking users around the world, a new worm using NSA hacking tools has been discovered. This particular worm, called EternalRocks uses seven different NSA tools: EternalBlue, Eternalchampion, Eternalromance, Eternalsynergy, Doublepulsar, Architouch and SMBtouch.
EternalRocks worm uses flaws in the SMB Server Message Block (SMB) shares networking protocol to infect unpatched Windows systems. Unlike WannaCrypt, EternalRocks doesn't bundle a destructive malware payload, at least for now. The new nasty doesn't feature a kill switch domain either.
"For starters, EternalRocks is far more sneaky than WannaCry's SMB worm component. Once it infects a victim, the worm uses a two-stage installation process, with a delayed second stage," explained Bleeping Computer in their report.
During the first stage, EternalRocks installs TOR as a C&C communications channel. The second stage doesn’t begin immediately; instead, the C&C server waits 24 hours before responding with shadowbrokers.zip. After that is unpacked, the EternalRocks worm begins scanning for open 445 ports on the internet and pushes the first stage of the malware through payloads.
According to Miroslav Stampar, who works at the Croatian Government's CERT:
"The worm is racing with administrators to infect machines before they patch. Once infected, he can weaponize any time he wants, no matter the late patch."
Read more -here-