As world is recovering from the WannaCry ransomware that spread like wild fire less than two weeks ago, researchers have found a new strain of malware that makes WannaCry look almost innocent.
The malware is know as EternalRocks and was discovered by member of the Croatian Government CERT, Miroslav Stampar, after it infected a server message block (SMB) honeypot he had set up.
EternalRocks was found to be using six SMB exploits that were stolen from the NSA, namely EternalBlue, EternalChampion, EternalRomance and EternalSynergy. In a report by Bleeping Computer, DoublePulsar is named as the the exploit which allows EternalRocks to spread.
WannaCry only used two NSA exploits: EternalBlue to compromise a machine and DoublePulsar to spread to other machines.
Infection with a fuse
What makes EternalRocks so much scarier than WannaCry is that this new malware installs itself in two parts.
During the first stage the malware installs itself on a target PC, downloads the Tor browser and pings a command and control server located on the dark web.
Then EternalBlue waits for the server to respond which appears to take 24 hours. The most likely reason for this says Bleeping Computer is that the creator of the malware is probably trying to bypass sandbox testing from security researchers.
And for those thinking they can pull a MalwareTech and buy the kill-switch domain that was hidden in the code of WannaCry, EternalRocks contains no such domain.
Why is EternalRocks scary?
Considering its initial dormancy and the backdoor it creates to a target PC, EternalRocks is scarier than WannaCry for a number of reasons.
For instance, WannaCry had one goal: encrypt files and make the victim cough up to decrypt them. The purpose of EternalRocks however is less clear.
The delayed fuse is especially worrying as an attacker could use the control they have over the PC and the backdoor through vulnerable SMB ports to send ransomware, banking trojans, and anything an attacker wants to the target.
Worse still, even if these vulnerabilities are patched EternalRocks’ dormancy could see it passed over by security software.
Thankfully security researchers and system administrators are already working to disable old SMBv1 protocols and patching systems that might present an easy target for attackers.
[Image – CC BY 2.0 Darren Hester]