Wednesday, February 8, 2023

EternalRocks: WannaCry’s Bigger, More Dangerous Brother

EternalRocks: WannaCry’s Bigger, More Dangerous Brother

If you thought WannaCry was bad, wait until you see its big brother. Based on the same NSA toolkit, the new EternalRocks worm has been detected in the wild, and it could be disastrous to your computer.

Also read: Travelers in Japan Can Now Use Bitcoin to Book Flights With Peach

The NSA Toolkit Is a Gift That Keeps on Giving

Originally discovered by the Croatian National Computer Emergency Response Team, the worm exploits the same Server Message Block (SMB) protocol flaw in all Windows machines, dating as far back as XP. Named EternalRocks, the malware is one of several tools stolen from the NSA last year and propagated on Github, the world’s largest code-sharing network, by hacker group TheShadowBrokers.

The basket include apps that attack vulnerabilities in Sendmail on Redhat Linux, IBM Lotus Notes and Lotus Domino, Internet Information Services (IIS) on Windows, as well as numerous exploits for the aforementioned SMB protocol.

Running the exploits against vulnerable machines will give an attacker remote access to the target’s file system, after which they can install ransomware (as with the earlier WannaCry outbreak), or hidden cryptocurrency miners (last week’s Adylkuzz). Most attacks will also commonly include DoublePulsar in their payload, which installs a backdoor on the machine and then spreads itself to others on the network.

EternalRocks Is Harder to Detect

Unlike WannaCry, which used the EternalBlue worm, the EternalRocks strategy evades detection even from most security researchers.

It does this through a two-stage installation process, by first installing a Tor client and requesting further instructions from a URL on the dark web, a strategy known as C&C or “Command and control” communication. Typically, a worm infects a machine then awaits further instructions and new payloads from its control server.

However, in the case of EternalRocks, the C&C server doesn’t respond for 24 hours, which would lead security researchers to mistakenly believe that the server is dead and that the trail has gone cold.

The payload from EternalRocks’ Control server includes a 4mb ZIP file named “” that unpacks itself on the host machine, and immediately begins scanning for other machines to infect.

Infected Machines Are Awaiting Instructions

Perhaps the most frightening thing about the EternalsRocks exploit is that all it currently does is propagate itself to as many machines as possible. Because the infected machines just wait for new payloads from their control server, the worm doesn’t modify its host in any easily discernible way. However, once the propagation has reached a large enough number of machines, it represents a valuable network resource that the attackers could harness any number of ways, possibly by turning them into botnets, or by ransoming them all at once.


Even more concerning, the DoublePulsar backdoor is left open to any attacker, not just the EternalRocks originators. A machine infected with DoubePulsar would accept new payloads from any source, effectively turning it into a Petri dish of computer malware.

The race is on for systems administrators to urge their networks against the various NSA exploits in the wild. However, security researchers advise that the Windows SMB patch may no longer be enough. Administrators must also sweep their systems for evidence of DoublePulsar or EternalRocks, because once either of those have been installed, it will be too late.

Are you worried about EternalRocks? Share your thoughts down below.

Images via Getty Images, Gadgets Now

Bitsonline Email Newsletter