EternalRocks: Deadlier than WannaCry, you don't want to encounter this ransomware

FFS. Somebody is spreading THIS with delayed download/start. People, this is going to be huge. Prepare yourself in a day or two! pic.twitter.com/WqJE9QKRSV

— Miroslav Stampar (@stamparm) May 18, 2017

EternalRocks mainly uses the NSA tool known as EternalBlue. It uses this to spread from one computer to the next through the Windows OS. Along with EternalBlue, it also uses six other tools leaked by the Shadow Brokers - DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch. Stampar discovered it "after it infected his honeypot, a trap set to monitor incoming malware," according to CNET.

According to Stampar, the earliest findings of EternalRocks dates back to 3 May. Windows Server Message Block is a standard file sharing technology that is used by Windows PCs. The problem with the first ransomware attack, WannaCry, was that even though Microsoft patched the vulnerability in March, many of the systems worldwide hadn't updated their software. With EternalRocks using seven different NSA exploits, the fear is that it could spread even faster and to more computers than WannaCry.

Is EternalRocks malicious?

In the present form, EternalRocks doesn't seem to have any malicious intent. The malware isn't asking for any payoff and neither is it locking or corrupting files. The potential for any kind of future attack though, is huge. The one difference here is that while WannaCry alerted victims who'd been affected, EternalRocks remains silent and hidden on the computer. EternalRocks, once it's successfully on a computer, downloads the anonymous network Tor's private browser. After that, it sends a signal to EternalRocks' hidden servers.

Then, it lays dormant for 24 hours. After a day of being on the computer, the server downloads what Stampar calls 'second stage malware' which then runs itself and is self-replicating. After the initial run, it "drops the exploit pack shadowbrokers.zip and unpacks contained directories payloads/, configs/ and bins/. After that, starts a random scan of opened 445 (SMB) ports on Internet, while running contained exploits (inside directory bins/) and pushing the first stage malware through payloads (inside directory payloads/)," wrote Stampar in a description on GitHub. It basically starts an IP scanning process and the tries to connect to random IP addresses.

From what we know at this moment, EternalRocks is staying dormant as it continues to infiltrate more computers. We don't know how many computers it has infected. We also don't know what EternalRocks will morph into. It could just be an experiment as of now.

Kill Switch absent

EternalRocks uses file names that are identical to WannaCry's worm. This is done to fool security researchers into mistaking it for the older ransomware. While WannaCry had a 'kill switch' weakness that allowed for the slowing of the ransomware, EternalRocks doesn't have one.

Furthermore, if the author decides to weaponise the worm, he could do so in an instant, as the infected computers are vulnerable to remote commands.

Matter of time when common malware through phishing bad guys will incorporate SMB exploits for synergistic attack. Then, we die

— Miroslav Stampar (@stamparm) May 20, 2017

Defense mechanisms

To avoid infection there are two simple measures one should take:
First, stay on top of all updates and patch systems as and when they are released.
Second, replace all older operating systems with the latest version of Windows.