EternalRocks spreads seven Windows SMB exploits

Someone has stitched together seven of the Windows SMB exploits leaked by the ShadowBrokers, creating a worm that has been spreading through networks since at least the first week of May.

Researcher Miroslav Stampar, a member of the Croatian government’s CERT, captured a sample of the worm last Wednesday in a Windows 7 honeypot he runs, and posted a report over the weekend on his Github page.

The worm, which Stampar calls EternalRocks, currently has no payload and spreads in two stages over a 24-hour period. Heimdal Security has also seen a similar sample, which it calls BlueDoom.

Since the WannaCry ransomware outbreak two Fridays ago, researchers have stressed the urgency to patch the SMB vulnerability under attack given the NSA exploits are weaponized and documentation was also leaked making them reasonably simple to use. MS17-010 has been available since March, one month before the ShadowBrokers’ leak of Equation Group Windows offensive hacking tools.

“Despite not having a malicious payload, the EternalRock worm is as complex as WannaCry – although, for now, less dangerous. Unlike WannaCry, however, EternalRock has two stages, and there’s a long delay between the moment the malware sends a signal to the control server to confirm infection and the reply being received from the server,” Kaspersky Lab said. “Such behavior is not unusual and seems to be a sandbox mitigation technique.”

Stampar said that EternalRocks, which he also calls MicroBotMassiveNet, spreads using all of the SMB exploits in the leak, including EternalBlue, which was used in the WannaCry attacks. EternalRocks also uses EternalBlue, along with EternalChampion, EternalRomance and EternalSynergy, as well as ArchiTouch, SMBTouch and the DoublePulsar kernel exploit.

Read more…