EternalRocks: If you thought WannaCry was bad, this is worse
May 22, 2017
EternalRocks, a successor of WannaCry, is expected to be the ultimate cyber-weapon, armed with at least seven cyber tools stolen from the NSA database.
EternalRocks will not have a kill switch and if weaponised, will be many times more destructive compared to WannaCry ransomware.
The warning flag was recently raised by security researcher Miroslav Stamper, who is a member of the Croatian Government CERT. Stamper contends that EternalRocks not only uses lethal SMB (Server Message Block) tools which are named EternalBlue, EternalChampion, EternalSynergy, and EternalRomance but also SMB reconnaissance tools named SMBTouch and ArchTouch which can keep an eye on affected computers.
Earlier this year, a group of hackers calling themselves Shadowbrokers released several hacking tools which they obtained from NSA's servers. While a couple of them were utilised for the WannaCry ransomware attack, the new EnternalRocks worm has been crafted out of as many as seven hacking tools. Stamper has decided to appropriately term EternalRocks as 'DoomsDayWorm.'
According to Bleeping Computer, EternalRocks is now under testing and hasn't been unleashed yet. However, it will be very convenient for hackers to weaponize the worm with malware, banking trojans or ransomware which will be hard to contain since the worm doesn't come with a kill switch unlike WannaCry.
"Matter of time when common malware through phishing bad guys will incorporate SMB exploits for synergistic attack. Then, we die," Stamper tweeted.
EternalRocks will affect computers in two stages. First, it will invade a system, download Tor and connect with a command and control server located inside Tor. After about 24 hours, the server will respond, enabling the worm to replicate itself and attack more computers. This delay in connection will make researchers believe that it is no ransomware and is just an ordinary infiltration.
EternalRocks will also run DoublePulsar in infected systems which will work as a backdoor for malware to be installed. However, Stamper reports that the backdoor isn't protected yet and this will enable other hackers to utilise it to pour in their own malware, thus effectively destroying systems.
The only positive factor here is that researchers are now aware of the impending threat and may create software patches before EternalRocks arrives. However, considering how powerful the worm is, this will be a time-consuming exercise and may not be completed before actual infections take place.
"The worm is racing with administrators to infect machines before they patch. Once infected, he can weaponise any time he wants, no matter the late patch," Stamper told Bleeping Computer.
It is beyond anyone's doubt that if EternalRocks is weaponised, the most affected systems will be the ones running outdated versions of the Windows operating system. While the effect of WannaCry ransomware wasn't too high in the UK, the NHS was particularly affected not only because of poor cyber hygiene, but also because the organisation still uses thousands of computers running older versions of Windows.
"Something like this was always inevitable. While organisations are distracted by high profile dramatized threats, such as Russian election hacking, they are neglecting basic cyber hygiene measures which can prevent the mass effectiveness of mass ransomware attacks like this. Until basic cyber hygiene is taken seriously, these attacks will continue to happen at this scale with an impact disproportionate to the nature of the attack," Brian Lord OBE, former Deputy Director GCHQ Cyber and Intelligence.