X

EternalRocks: Deadlier than WannaCry, you don't want to encounter this ransomware

Sahil Bhalla 23 May 2017, 18:15 IST

EternalRocks: Deadlier than WannaCry, you don't want to encounter this ransomware

The WannaCry ransomware attack hit global headlines after infecting over 200,000 systems in 150 countries . While that attack was finally contained, a newer, deadlier malware, named EternalRocks, has been identified by security researchers last week. While WannaCry used two National Security Agency(NSA) exploits, EternalRocks uses seven of the exploits leaked by the Shadow Brokers group back in April.

This new malware strain targets the same vulnerability that helped WannaCry spread across the globe the first time around. According to a report in Bleeping Computer, EternalRocks was first detected by Miroslav Stampar, a Croatian security expert and member of the Croatian Government's computer emergency response team (CERT), on 17 May.

EternalRocks mainly uses the NSA tool known as EternalBlue. It uses this to spread from one computer to the next through the Windows OS. Along with EternalBlue, it also uses six other tools leaked by the Shadow Brokers - DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch. Stampar discovered it "after it infected his honeypot, a trap set to monitor incoming malware," according to CNET.

According to Stampar, the earliest findings of EternalRocks dates back to 3 May. Windows Server Message Block is a standard file sharing technology that is used by Windows PCs. The problem with the first ransomware attack, WannaCry, was that even though Microsoft patched the vulnerability in March, many of the systems worldwide hadn't updated their software. With EternalRocks using seven different NSA exploits, the fear is that it could spread even faster and to more computers than WannaCry.

Is EternalRocks malicious?

In the present form, EternalRocks doesn't seem to have any malicious intent. The malware isn't asking for any payoff and neither is it locking or corrupting files. The potential for any kind of future attack though, is huge. The one difference here is that while WannaCry alerted victims who'd been affected, EternalRocks remains silent and hidden on the computer. EternalRocks, once it's successfully on a computer, downloads the anonymous network Tor's private browser. After that, it sends a signal to EternalRocks' hidden servers.

Then, it lays dormant for 24 hours. After a day of being on the computer, the server downloads what Stampar calls 'second stage malware' which then runs itself and is self-replicating. After the initial run, it "drops the exploit pack shadowbrokers.zip and unpacks contained directories payloads/, configs/ and bins/. After that, starts a random scan of opened 445 (SMB) ports on Internet, while running contained exploits (inside directory bins/) and pushing the first stage malware through payloads (inside directory payloads/)," wrote Stampar in a description on GitHub. It basically starts an IP scanning process and the tries to connect to random IP addresses.

From what we know at this moment, EternalRocks is staying dormant as it continues to infiltrate more computers. We don't know how many computers it has infected. We also don't know what EternalRocks will morph into. It could just be an experiment as of now.

Kill Switch absent

EternalRocks uses file names that are identical to WannaCry's worm. This is done to fool security researchers into mistaking it for the older ransomware. While WannaCry had a 'kill switch' weakness that allowed for the slowing of the ransomware, EternalRocks doesn't have one.

Furthermore, if the author decides to weaponise the worm, he could do so in an instant, as the infected computers are vulnerable to remote commands.

Defense mechanisms

To avoid infection there are two simple measures one should take:
First, stay on top of all updates and patch systems as and when they are released.
Second, replace all older operating systems with the latest version of Windows.

REALATED STORIES