Remember the leaks of exploits used by the WannaCry SMB worm that cause more than 240,000 detections in 48 hours? If you do, you’d remember they were named EternalBlue and DoublePulsar. A new worm has appeared, carrying the name EternalRocks and it has the capability to be even more brutal than the one which was used to replicate WannaCry ransomware and infect computers in a massive outbreak.
EternalRocks and Its Capabilities
Unlike the worm that is used to spread WannaCry ransomware which uses 2 exploits based on the SMB services in Windows operating system, the EternalRocks worm uses 7 of the exploits leaked by TheShadowBrokers in early 2017. The exploits which were SMB-oriented in the leak are the following:
- EternalBlue
- EternalChampion
- EternalRomance
- EternalSynergy
In addition to those direct SMB exploits, EternalRocks also uses the exploits deployed for information gathering, known as:
- SMBTouch
- ARCHITouch
The worm also uses the DoublePulsar used by the SMB worm in order to keep spreading to other machines that haven’t patched yet.
The difference between the two worms is the significantly higher number of exploits that are used to infect a computer, meaning that if the EternalRocksworm was released instead of the SMB worm, significantly higher amount of computers could have been infected with WannaCry ransomware (over 240,000 infections).
However, there is also the fact that the EternalRocks worm uses a more delayed infection process, because it has two stages of installing itself on a given computer.
Malware researchers feel convinced that this delay is caused by multiple different activities that aim to obfuscate the worm while it infects the computers.
At the moment, EternalRocks is completely harmless because it Is not activated and many of the Windows computers are supposedly upgraded after the massive WannaCry outbreak occurred 1 week ago.
However, the worm has a feature that is lacking in the SMB worm used to spread WannaCry and that feature is to be able to spread without a so-called “kill switch” web domain. Such domain was stopped by the malware researcher with the nickname MalwareTech (@MalwareTechBlog) in Twitter. If this worm is released, the only thing preventing it would be to have your Windows system fully upgraded with the latest security patches, since there is no way for malware researchers to stop it. Many feel convinced that most ransomware cyber-criminals would want to get their hands on this worm, so we recommend to stay safe and learn how to keep your data secure before the inevitable happens.
Ventsislav Krastev
Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.
Follow Me: