Results 1 to 20 of 112

Thread: Malware & other nasty IT / cyber things

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. 05-23-2017 #31
    OUTLAW 09
    OUTLAW 09 is offline
    Council Member
    Join Date
    Nov 2013
    Posts
    35,749

    Default

    A security expert discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw to spread itself like WannaCry ransomware.

    The security expert Miroslav Stampar, a member of the Croatian Government CERT, has discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw in the SMB protocol to spread itself like the popular WannaCry ransomware.
    Stampar#discovered the EternalRocks after it infected his SMB honeypot, he called the malware ‘DoomsDayWorm.’

    Stampar#discovered that the EternalRocks disguises itself as WannaCry, but instead of delivering a ransomware, it takes over the affected computer to power other attacks.

    The researcher decompiled an older sample (start of May) of EternalRocks and published it on Github.

    Unlike the WannaCry Ransomware that leverages the two NSA hacking tools EternalBlue and DoublePulsar, EternalRocks exploits seven exploits leaked by Shadow Brokers and its code doesn’t include a kill-switch.

    EternalRockswas developed to avoid detection and to remain undetectable on the target system, it uses the following NSA exploits:

    EternalBlue — SMBv1 exploit tool
    EternalRomance — SMBv1 exploit tool
    EternalChampion — SMBv2 exploit tool
    EternalSynergy — SMBv3 exploit tool
    SMBTouch — SMB reconnaissance tool
    ArchTouch — SMB reconnaissance tool
    DoublePulsar — Backdoor Trojan

    EternalRocks downloads all the above SMB exploits to the infected computer, then it scans the internet for open SMB ports on other systems to compromise.

    Miroslav Stampar @stamparm
    Info on (new) EternalRocks worm can be found on
    https://github.com/stamparm/EternalRocks/#
    …. Will keep it updated, along with @_jsoo_

    Update on #EternalRocks. Original name is actually "MicroBotMassiveNet" while author's nick is "tmc" https://github.com/stamparm/EternalR...trings#…

    If I will be asked to choose a name, let it be a DoomsDayWorm c52f20a854efb013a0a1248fd84aaa95

    P.S. there is no kill-switch. Everything goes through Tor. Initial infection by MS17-010 drops Tor binaries for further communication

    Somebody actually used complete Shadowbrokers dump (SMB part) and made a worm out of it. Uses WannaCry names (taskhost/svchost) to distract

    Seems to be just spreading at the moment and getting further commands from C&C

    Whole EternalRocks campaign (first and second stage malware) uses Mutex: {8F6F00C4-B901-45fd-08CF-72FDEFF}
    Last edited by davidbfpo; 06-16-2017 at 09:22 AM. Reason: Edited quote to fit ToR
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. Russo-Ukraine War 2016 (April-June)
    By davidbfpo in forum Europe
    Replies: 1088
    Last Post: 07-01-2016, 08:44 PM
  2. Leadership of Cyber Warriors: Enduring Principles and New Directions
    By SWJ Blog in forum Media, Information & Cyber Warriors
    Replies: 0
    Last Post: 07-11-2011, 02:41 PM
  3. USAF Cyber Command (catch all)
    By selil in forum Media, Information & Cyber Warriors
    Replies: 150
    Last Post: 03-15-2011, 09:50 PM
  4. Beijing’s Doctrine on the Conduct of “Irregular Forms of Warfare”
    By Jedburgh in forum Asia-Pacific
    Replies: 51
    Last Post: 01-08-2011, 07:42 PM
  5. Question 5: Cyber space (oh you know I had to ask at least one of these)
    By selil in forum TRADOC Senior Leaders Conference
    Replies: 7
    Last Post: 08-14-2009, 03:27 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules