[BleepingComputer] New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two
[Image: EternalRocks.png]

Quote:New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two
Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two.

The worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online.

These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations.

Once the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines.

The WannaCry ransomware outbreak, which affected over 240,000 victims, also used an SMB worm to infect computers and spread to new victims.

Unlike EternalRocks, WannaCry's SMB worm used only ETERNALBLUE for the initial compromise, and DOUBLEPULSAR to propagate to new machines.

EternalRocks also uses files with identical names to the ones used by WannaCry's SMB worm, in another attempt to fool security researchers into misclassifying it.

Possibly Related Threads…
Thread Author Replies Views Last Post
[BleepingComputer] Adylkuzz Cryptocurrency Miner May Have Saved You From WannaCry Albus 0 2,080 05-21-2017, 01:19 PM
Last Post: Albus

Forum Jump:

Users browsing this thread: 1 Guest(s)