Seven NSA cyberweapons, including four Windows SMB exploits, have been combined to create the EternalRocks malware....
What are the exploits used by EternalRocks, and how is it similar to the WannaCry ransomware worm?
Windows networking has been a scourge to the internet since the first Windows machine on a local network connected to the web. Windows networking still uses the server message block (SMB) protocol, and it was designed for local networks, but enterprises continue to expose their systems with SMB access open to the internet. Most enterprises block inbound and outbound Windows networking packets because of malware like Sircam, Nimda and many others, but when firewalls go down, internal systems can be infected.
Penetration testers and attackers are very aware of the insecurities in Windows networking. Still, one of the NSA exploits -- EternalBlue -- used in its EternalRocks malware, exploited a vulnerability in SMB v1 that could have been blocked by a border firewall filtering SMB traffic. The other SMB exploits included in the malware are EternalChampion, EternalRomance and EternalSynergy; EternalRocks also includes other NSA cyberweapons, such as the DoublePulsar exploit for implanting backdoors.
The EternalRocks malware kit wasn't just a Windows networking worm, but also included functionality to download additional code and connect to a command-and-control server for future commands. The initial exploit is very important in order to get initial access to a system, but the later stages of the attack are potentially the most important to defend against, and they have the most impact.
The EternalBlue exploit used by the EternalRocks malware is also used in the WannaCry ransomware worm, but WannaCry takes the next step with malicious action on the endpoint via ransomware. EternalRocks has no ransomware or malicious payloads and only spreads itself on systems and devices. Exploit kits, even security tools like Metasploit and other commercial tools, have much of the same functionality and could include these exploits into their toolkits.
Find out why computer worms like WannaCry continue to pose a threat
Learn why the WannaCry outbreak should prompt hospitals to up their security game
Read about how the NSA balances vulnerability disclosure and national security
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
A new remote access Trojan called UBoatRAT was found spreading via Google services and GitHub. Learn how spotting command-and-control systems can ... Continue Reading
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about ... Continue Reading
The use of botnets to spread Scarab ransomware intensifies the threat for enterprises. Discover the best way to respond to such a threat and protect ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.