EternalRocks Worm Spreads Seven NSA SMB Exploits

A worm called EternalRocks has been spreading seven Windows SMB exploits leaked by the ShadowBrokers, including EternalBlue, which was used to spread WannaCry.

Someone has stitched together seven of the Windows SMB exploits leaked by the ShadowBrokers, creating a worm that has been spreading through networks since at least the first week of May.

Researcher Miroslav Stampar, a member of the Croatian government’s CERT, captured a sample of the worm last Wednesday in a Windows 7 honeypot he runs, and posted a report over the weekend on his Github page.

The worm, which Stampar calls EternalRocks, currently has no payload and spreads in two stages over a 24-hour period. Heimdal Security has also seen a similar sample, which it calls BlueDoom.

Since the WannaCry ransomware outbreak two Fridays ago, researchers have stressed the urgency to patch the SMB vulnerability under attack given the NSA exploits are weaponized and documentation was also leaked making them reasonably simple to use. MS17-010 has been available since March, one month before the ShadowBrokers’ leak of Equation Group Windows offensive hacking tools.

“Despite not having a malicious payload, the EternalRock worm is as complex as WannaCry – although, for now, less dangerous. Unlike WannaCry, however, EternalRock has two stages, and there’s a long delay between the moment the malware sends a signal to the control server to confirm infection and the reply being received from the server,” Kaspersky Lab said. “Such behavior is not unusual and seems to be a sandbox mitigation technique.”

Stampar said that EternalRocks, which he also calls MicroBotMassiveNet, spreads using all of the SMB exploits in the leak, including EternalBlue, which was used in the WannaCry attacks. EternalRocks also uses EternalBlue, along with EternalChampion, EternalRomance and EternalSynergy, as well as ArchiTouch, SMBTouch and the DoublePulsar kernel exploit.

“The analysis done on BlueDoom hints that cyber criminals may be preparing to integrate an array of different exploits for an attack that combines a full set of digital weapons,” Heimdal Andra Zaharia said. “BlueDoom is different from WannaCry because it shows a long-term intent to make use of vulnerabilities stemming from virtually all Shadow Brokers leaks containing Windows exploits.”

Stampar explained how the exploits attack in two stages. The first infects a vulnerable Windows machine unpatched against MS17-010, and the downloads components expected to be used during the second stage, along with the Tor browser, which is used to communication to a .onion command and control domain (ubgdgno5eswkhmpy[.]onion).

The second stage, Stampar said, is downloaded after a pre-defined 24-hour period from the .onion domain. During this stage, the SMB exploits are downloaded and the worm begins additional scanning of the internet looking for open instances of port 445.

Stampar’s report includes indicators of compromises, including hashes of components used in both stages of the attack.

In the meantime, more information continues to surface about the WannaCry infections. To date, more than 200,000 infections have been recorded in more than 100 countries. According to researchers at Kaspersky Lab, 98 percent of WannaCry infections affected Windows 7 machines, primarily Windows 7 x64 machines.

Last week, researchers developed and published tools that can help admins recover the private encryption key used by WannaCry to encrypt files on the local drives of machines it infects.

Adrien Guinet of QuarksLab made available his WannaKey tool that is able to recover a prime number from memory used to factor the RSA public key stored by the malware on the local drive. That public key can be used to rebuild the private key and recover encrypted files in conjunction with another tool called WanaDecrypt, built by researcher Benjamin Delpy.

At first, the available tools were limited just to Windows XP machines. The attackers built WannaCry using the Windows Crypto API, which fails to overwrite the prime numbers in memory; later versions do so using the CryptReleaseContext function. Delpy was reportedly able to overcome that limitation and get his tool to work on Windows 7 machines as well.

Admins must now hold their breath waiting perhaps for a version of EternalRocks to spread a malicious payload. Already, the NSA’s SMB exploits have been used, not only to spread ransomware, but also a cryptocurrency miner and a remote access Trojan. And unlike WannaCry, Stampar said EternalRocks does not include a so-called killswitch that researcher Marcus Hutchins used to shut down the initial ransomware outbreak.

“A big advantage over the initial WannaCry variants is that fact that EternalRock does not carry a kill-switch feature. Kaspersky Lab believes that it could easily be weaponized and used in the wild,” Kaspersky Lab said.

This article was updated May 22 with comments from Kaspersky Lab.

Suggested articles


  • Christian Schiffer on

    In one way this is a good thing. See these exploits have existed for a while and have been used by malicious government entities to spy on us. The publication of these exploits and the consequential use of it by private malicious entities has helped focus on the problem and helped or forced the antivirus community to put an end to this treason.
  • maounique on

    Of course, this is a textbook case on why deliberately weakening security so the surveillance state can spy on everyone under the pretext of the war on islam, drugs, child porn, dissent, democracy and others which will undoubtedly be used by the official propaganda sooner or later cannot be accepted in any way shape or form, because nobody is perfect and, even if we accept the pretexts used, the backdoors will inevitably be leaked or sold to criminal organizations, maybe even the terrorists we were supposed to be protected from.
  • Xian on

    The good thing that came out of it, is at least now we know the government spying is a real thing and no myth or fable or make-believe. wannacry used like 2 of those hacks, this baby uses 7 so the only way to prevent it from occurring by switching to linux or at least updating your windows 10, updating your build of norton, kaspersky, eset or any decent antivirus and use a vpn like ivacy or pure or express to secure the data and log in from some region where malware attack is less frequent, at least for now. copy or become a victim because this thing's got no killswitch either. once it does make it to the pc, eternal rock may be a lot harder to stop compared to its daddy, wannacry
  • maounique on

    "switching to linux" Linux is not and was never free of bugs. It is open source so backdoors are harder to introduce, but exploitable bugs are everywhere. Yes, it is way harder to subvert Linux but mostly because users are more informed and do not click on attachments and stuff, also because Windows is the low hanging fruit and much more standard as it is way harder to configure your own blend of OS, removing bloatware is notoriously difficult, so, attacking SMB in Windows is way easier since most Linux machines, even desktops, do not even have it installed, nevermind it is a different, reverse-engineered code implementation, sharing no code with the closed source windows one.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.