EternalRocks malware: What exploits are in it?

When NSA cyberweapons went public, attackers bundled them into the EternalRocks malware. Nick Lewis takes a closer look at this new threat and explains what's lurking inside.

Seven NSA cyberweapons, including four Windows SMB exploits, have been combined to create the EternalRocks malware. What are the exploits used by EternalRocks, and how is it similar to the WannaCry ransomware worm?

Windows networking has been a scourge to the internet since the first Windows machine on a local network connected to the web. Windows networking still uses the server message block (SMB) protocol, and it was designed for local networks, but enterprises continue to expose their systems with SMB access open to the internet. Most enterprises block inbound and outbound Windows networking packets because of malware like Sircam, Nimda and many others, but when firewalls go down, internal systems can be infected.

Penetration testers and attackers are very aware of the insecurities in Windows networking. Still, one of the NSA exploits -- EternalBlue -- used in its EternalRocks malware, exploited a vulnerability in SMB v1 that could have been blocked by a border firewall filtering SMB traffic. The other SMB exploits included in the malware are EternalChampion, EternalRomance and EternalSynergy; EternalRocks also includes other NSA cyberweapons, such as the DoublePulsar exploit for implanting backdoors.

The EternalRocks malware kit wasn't just a Windows networking worm, but also included functionality to download additional code and connect to a command-and-control server for future commands. The initial exploit is very important in order to get initial access to a system, but the later stages of the attack are potentially the most important to defend against, and they have the most impact.

The EternalBlue exploit used by the EternalRocks malware is also used in the WannaCry ransomware worm, but WannaCry takes the next step with malicious action on the endpoint via ransomware. EternalRocks has no ransomware or malicious payloads and only spreads itself on systems and devices. Exploit kits, even security tools like Metasploit and other commercial tools, have much of the same functionality and could include these exploits into their toolkits.

Next Steps

Find out why computer worms like WannaCry continue to pose a threat

Learn why the WannaCry outbreak should prompt hospitals to up their security game

Dig Deeper on Threats and vulnerabilities