Buzz
Android device users are currently facing the CopyCat malware threat. The main cause lies in downloading unauthorized APK files from sources like Google APK Player. Once infected, CopyCat seizes control of your phone and engages in malicious activities. Exercise caution when downloading Android apps from the internet.
The first half of 2017 witnessed a surge in malicious codes, particularly Ransomware, posing a threat to the safety of users' important data. The latest addition to this menace is the Petya Ransomware, operating similarly to WannaCry. Petya infiltrates systems, exfiltrates data, and demands ransom for its return. Prepare yourself against Petya Ransomware by learning more about it here.
Upon discovering EternalRocks, numerous methods for its eradication have been provided to users with infected devices. You should also explore these strategies to equip yourself with the most insightful knowledge on combating this type of virus.
A security researcher has uncovered a new malware capable of self-propagation by exploiting vulnerabilities in the SMB file-sharing protocol on Windows operating systems. Dubbed Eternal Rocks, unlike Ransomware WannaCry, EternalRocks utilizes only 2 hacking tools pilfered from the NSA (National Security Agency), leveraging all 7 tools.
What is EternalRocks? How to prevent EternalRock
Last week, users were alerted to multiple hacker groups exploiting hacking tools stolen from the NSA and targeting users. Specifically, the WannaCry Ransomware attack, although most of these attacks only utilize 2 tools: EternalBlue and DoublePulsar.
According to TheHackerNew, Miroslav Stampar, a renowned security researcher who created the famous tool 'sqlmap' and is now a member of the Croatian government's CERT, has discovered a new malware called Eternal Rocks. Much more dangerous than WannaCry, while there have been numerous measures to prevent WannaCry, there is currently no solution to combat Eternal Rocks. So, what is EternalRocks? How to prevent EternalRock, a malware deemed much more dangerous than WannaCry, multiple times over? Does it resemble the methods to prevent WannaCry?
What is EternalRocks?
Unlike WannaCry, Eternal Rock is designed to operate stealthily, ensuring it goes undetected by programs, antivirus software on the compromised system.
Stampar discovered EternalRock after this malware infected his SMB honeypot.
7 tools exploited and utilized by EternalRocks include
1. EternalBlue - a tool exploiting SMBv1.
2. EternalRomance - a tool exploiting SMBv1.
3. EternalChampion - a tool exploiting SMBv2.
4. EternalSynergy - a tool exploiting SMBv3.
5. SMBTouch - an SMB reconnaissance tool.
6. ArchTouch - an SMB reconnaissance tool.
DoublePulsar - Backdoor TrojanSMBTouch and ArchTouch are SMB reconnaissance tools designed to scan open SMB ports on the public internet.
Meanwhile, EternalBlue, EternalChampion, EternalSynergy, and EternalRomance are SMB vulnerabilities designed to compromise vulnerable Windows computers.
And DoublePulsar is used to propagate from one compromised computer to other vulnerable machines on the same network.
Stampar discovered that EternalRocks masquerades as WannaCry to deceive security researchers, but instead of deploying ransomware, Eternal Rocks gains unauthorized control over the affected computer to initiate future network-based attacks.
The attack methodology of EternalRocks
The installation process of EternalRocks occurs in 2 stages.
In the first stage, Eternal Rock downloads the Tor Browser onto the affected computers, then uses it to connect to the command and control (C&C) server located on the Tor network in the Dark Web.
'The initial stage of the malware UpdateInstaller.exe downloads necessary components .NET (for subsequent stages), TaskScheduler, and SharpZLib from the Internet, skipping components like svchost.exe and taskhost.exe,' said Stampar.
According to Stampar, the second stage occurs after 24 hours to evade sandboxing techniques and avoid detection of the virus infection.
After 24 hours, Eternal Rock communicates with the C&C server, utilizing the 7 tools to attack and control your computer.
'The svchost.exe component is used to download, extract, and run Tor from archive.torproject.org along with the C&C (ubgdgno5eswkhmpy.onion) requiring additional instructions (such as installing new components),' added Stampar.
All 7 SMB vulnerabilities are downloaded onto the infected computer. Eternal Rock then scans the internet for open SMB ports to spread to other vulnerable systems.
How to prevent EternalRock
Currently, there is still no effective way to prevent Eternal Rocks. However, to minimize the risk of infection from malware like WannaCry and EternalRocks, you should follow these steps:
1. Choose one of 5 methods to prevent WannaCry as introduced by Mytour in their series of guides on avoiding the WannaCry virus.
2. Perform a Windows Update (including patches for the SMB protocol)
- Download the patch for Windows XP Update SP2 64bit
- Download the patch for Windows XP Update SP3 32bit
- Download the patch for Windows XP Update SP3 Embedded 32bit
- Download the patch for Windows 7 Update 64bit
- Download the patch for Windows 7 Update 32bit
- Download the patch for Windows 8 Update 64bit
- Download the patch for Windows 8 Update 32bit
- Download the patch for Windows Server 2003 Update SP2 64bit
- Download the patch for Windows Server 2003 Update SP2 32bit
Hope that leading experts will find a way to prevent Eternal Rock as soon as possible
