Q
Manage Learn to apply best practices and optimize your operations.

EternalRocks malware: What exploits are in it?

When NSA cyberweapons went public, attackers bundled them into the EternalRocks malware. Nick Lewis takes a closer look at this new threat and explains what's lurking inside.

Seven NSA cyberweapons, including four Windows SMB exploits, have been combined to create the EternalRocks malware....

What are the exploits used by EternalRocks, and how is it similar to the WannaCry ransomware worm?

Windows networking has been a scourge to the internet since the first Windows machine on a local network connected to the web. Windows networking still uses the server message block (SMB) protocol, and it was designed for local networks, but enterprises continue to expose their systems with SMB access open to the internet. Most enterprises block inbound and outbound Windows networking packets because of malware like Sircam, Nimda and many others, but when firewalls go down, internal systems can be infected.

Penetration testers and attackers are very aware of the insecurities in Windows networking. Still, one of the NSA exploits -- EternalBlue -- used in its EternalRocks malware, exploited a vulnerability in SMB v1 that could have been blocked by a border firewall filtering SMB traffic. The other SMB exploits included in the malware are EternalChampion, EternalRomance and EternalSynergy; EternalRocks also includes other NSA cyberweapons, such as the DoublePulsar exploit for implanting backdoors.

The EternalRocks malware kit wasn't just a Windows networking worm, but also included functionality to download additional code and connect to a command-and-control server for future commands. The initial exploit is very important in order to get initial access to a system, but the later stages of the attack are potentially the most important to defend against, and they have the most impact.

The EternalBlue exploit used by the EternalRocks malware is also used in the WannaCry ransomware worm, but WannaCry takes the next step with malicious action on the endpoint via ransomware. EternalRocks has no ransomware or malicious payloads and only spreads itself on systems and devices. Exploit kits, even security tools like Metasploit and other commercial tools, have much of the same functionality and could include these exploits into their toolkits.

Next Steps

Find out why computer worms like WannaCry continue to pose a threat

Learn why the WannaCry outbreak should prompt hospitals to up their security game

Read about how the NSA balances vulnerability disclosure and national security

This was last published in October 2017

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How do you deal with SMB exploits like those used by EternalRocks?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close