• EternalRocks SMB Worm Uses Seven NSA Hacking Tools

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » EternalRocks SMB Worm Uses Seven NSA Hacking Tools


    From https://www.bleepingcomputer.com/news/security/new-smb-worm-uses-seven-nsa-hacking-tools-wannacry-used-just-two/:

    “Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two.

    The worm’s existence first came to light on Wednesday, after it infected the SMB honeypot of Miroslav Stampar, member of the Croatian Government CERT, and creator of the sqlmap tool used for detecting and exploiting SQL injection flaws.”

    2 users thanked author for this post.
    Viewing 6 reply threads
    • #116695

      Stealth Backdoor Abused NSA Exploit Before WannaCrypt

      By Ionut Arghire | May 19, 2017

      In the aftermath the WannaCry ransomware outbreak, security researchers discovered numerous attacks that have been abusing the same EternalBlue exploit for malware delivery over the past several weeks.

      Targeting a Server Message Block (SMB) vulnerability on TCP port 445, the exploit was made public in April by the group of hackers calling themselves “The Shadow Brokers” and is said to have been stolen from the National Security Agency-linked Equation Group. The targeted flaw was patched in March.

      The fast spreading WannaCry brought EternalBlue to everyone’s attention, yet other malware families have been using it for infection long before the ransomware started using it. One of them was the Adylkuzz botnet, active since April 24, researchers revealed.

      Now, Cyphort says that evidence on a honeypot server suggests attacks on SMB were active in early May, and they were dropping a stealth Remote Access Trojan (RAT) instead of ransomware. The malware didn’t have the worm component and didn’t spread like WannaCry.

      Read the full article on securityweek.com

      5 users thanked author for this post.
      • #117010

        From the bleepingcomputer post @MrBrian quoted in the top post:

        As a worm, EternalRocks is far less dangerous than WannaCry’s worm component, as it currently does not deliver any malicious content. This, however, does not mean that EternalRocks is less complex.

    • #116723

      As the exploit is “is spreading via SMB”, does that imply that disabling the Windows SMB1 feature as recommended by Microsoft provides adequate protection?


      • #117017

        There are two more versions of SMB: SMB2 and SMB3. The known SMB vulnerabilities have been fixed already but disabling SMB1 provides protection against currently unknown or future SMB1 vulnerabilities before Microsoft fixes them.

    • #116959

      Is my understanding correct that we’re also protected from this nasty if we’ve installed the March patch that protects us from WannaCry? Thanks.

      Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

      1 user thanked author for this post.
      • #117006

        Information is still a little hazy on this, but at this stage it seems the SMB issue and Port 445 are important to address, as well as patching.

        This post about NCSC guidance might help.

        2 users thanked author for this post.
      • #117007

        The answer is NO, but it is better to be patched than not. The Shadow Brokers and their many customers have mixed motives.

        Security researchers have identified multiple different campaigns exploiting Windows SMB vulnerability. Some were in play before WannaCry was discovered. Security labs (and Microsoft) have analysed some of them but the problem is that there is a lot more coming and sometimes these malicious activities go unnoticed for weeks.

        The scumbags who released two of the earlier versions before WannaCry was discovered, used different attack vectors and set it up to inject a stealthy thread inside legitimate applications. In other words, a backdoor. These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch.

        We are definitely in Code Red – RIGHT NOW. The advise I would give to a Windows Home user : stay vigilant.

        3 users thanked author for this post.
        • #117085

          I agree. The March update alone is not enough. The May update must also be installed since it addresses additional SMB vulnerabilities.

      • #117014

        I believe so, if you had updated soon enough – see Protecting customers and evaluating risk.

        The May 2017 Microsoft updates also fixed various SMB vulnerabilities, including 4 remote code execution vulnerabilities that Microsoft rates as “Exploitation Less Likely.” See http://blog.talosintelligence.com/2017/05/ms-tuesday.html for more details.

        2 users thanked author for this post.
    • #116974

      I said this a few days ago, repeating it here.

      I highly recommend you install the May 2017 SMB patch as soon as possible, or, if your organization can deal with the repercussions to certain commercial productivity software — disable SMB 1.x immediately.

      CVE-2017-0279 | Windows SMB Remote Code Execution Vulnerability
      Security Vulnerability
      Published: 05/09/2017 | Last Updated : May 11, 2017

      A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.

      To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

      The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.


      Good luck!  My team is prepared, I think – but we are bracing for a major storm the rest of May.

      ~ Group "Weekend" ~

      4 users thanked author for this post.
      • #117008

        Is there any evidence of exploits for the SMB vulnerabilities that were fixed in May 2017?

      • #117042

        As a home user if you are not using a home server and such things, would disabling all SMB protocols be prudent?

        • #117236

          I’m curious to know that too

          • #117247

            I will disable the other Server Message Block protocol versions on other machines without waiting anymore time for an answer.

            • #117372

              Just remember that you’ve done so when you expect your Windows system to network with other systems in your local area network.


            • #117504

              There are 2 traditional components to Windows Networking:

              – Client for Microsoft Networks – this is the Workstation service or LanmanWorkstation – you do not tamper with this one
              – File and Printer Sharing for Microsoft Networks – this is the Server service or LanmanServer – this implements SMB and in general the server functionality.

              The Server service is not mandatory for regular client PCs, but I don’t know if uninstalling this service causes any problems with the current operating systems. This is the type of tweak done by people like Noel who is locking down his system to the extreme. I am not doing it.
              This service implements SMB1, and if available SMB2 and SMB3.

              Accessing a File Server or a Print Server does not require the Server service (it require the Workstation service which is the client), but having a File Server or Print Server does require the Server service for obvious reasons.

            • #117527

              This is the type of tweak done by people like Noel who is locking down his system to the extreme. I am not doing it.

              To be clear, I have removed SMB1 support, but I still run Server on all my systems. I need to be able to move files around freely between systems.

              I rely on my router to prevent incoming connections from the wild internet to Windows Networking, and my firewall configuration to prevent both incoming and outgoing ones that haven’t been pre-approved (e.g., from beyond my LAN).

              Frankly, if you’re NOT using Windows Networking to access files between computers, you should be able to go into the Network and Sharing Center > Advanced sharing settings and just disable file and printer sharing. I don’t think I’ve ever run a Windows system that way, since I always use a LAN, so I can’t speak from personal experience but the settings are there.



              1 user thanked author for this post.
            • #117797

              About two months ago you had posted a screenshot of your turning off the SMB 1.0/CIFS component; another Anonymous AskWoody poster revealed the Powershell command for turning off access to the SMB 1.0 protocol. Thank you both for those tips, I have acted on the  advisement to do so for all machines.

              Microsoft made a change for the worse by aggregating some settings under ‘All Networks’ instead of leaving them be per network type.

              I asked whether turning off all SMB versions was a good idea because I’ve read come conflicting information, and the unknown future.

            • #117821

              It was only an example, I had no idea what was your implementation in this case. 🙂
              I disabled SMB1 when all this started but not the Server service.

            • #117806

              Thank you for elaborating which services are dedicated for the tasks, I’m also not going to turn those off or try to uninstall them myself unless there was a cause for such action. I’ll just undo the SMB 2.0/3.x PowerShell tweak. Maybe Microsoft could separate the toggling of SMB 2.0/3.x but it might be a serious pain…

            • #117494

              From what I have read you shouldn’t disable SMB2 or SMB3, only SMB1, which also appears to be what is used by ransomware. Re-enable 2 and 3 would be my suggestion. (Unable to install the patch anyway, disabled SMB1, seems to be all ok). Keep AV and anti-malware uptodate. Symptomatic of WU and will be the problem now for Group A. Remove all important files to an external hard drive, disconnect when browsing. Pointless panicking, do what you can.

            • #117798

              Okay, thank you Anonymous.

        • #117859
          • #117891

            Thank you MrBrian & Kirsty, I have the url saved in case it is needed for other reasons. 🙂

    • #117090

      Is there any evidence of exploits for the SMB vulnerabilities that were fixed in May 2017?

      My guess is that we will all know in less than 10 days since I think that cyber-criminals will act swiftly to take advantage of these other NSA exploits.

    • #117195

      Due to the fact that,
      1.) New exploits are now in the wild as noted above
      2.) My employer pushed the May “Group B” updates to my computer at work at least a week ago
      3.) I’m already in what I call “Group A#” (A-sharp, i.e. telemetry disabled) at home

      I went ahead and installed the following updates:

      KB4019112 – Security and Quality Rollup for the .NET Framework for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: May 9, 2017 – https://support.microsoft.com/en-us/help/4019112/
      KB4019264 – 2017-05 Monthly Rollup – https://support.microsoft.com/en-us/help/4019264/

      No issues detected so far.

    • #117557
      1 user thanked author for this post.
    Viewing 6 reply threads
    Reply To: EternalRocks SMB Worm Uses Seven NSA Hacking Tools

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: