EternalRocks Computer Worm (May 26, 2017)

By

EternalRocks is a malware taking use of the Shadow Broker’s NSA leak exploiting multiple SMB vulnerabilities. EternalRocks emerged earlier than WannaCry and multiple variants have been observed since its first appearance. However, the developer of the EternalRocks SMB worm appears to have shut down his operation after the intense focus from the media. [ref]

EternalRocks spreads by exploiting multiple SMB vulnerability after it affects the targets and downloads the payload. The following are some network traffic:

Here is the write file operations:

The downloaded exploits have been observed in the following directory:

In the config directory there are configuration files with exploits names:

SonicWall Threat Research team has researched this malware and released the following signatures to cover them:

  • GAV:13638 EternalRocks.G6
  • GAV:13639 EternalRocks.G5
  • GAV:13640 EternalRocks.G4
  • GAV:13648 EternalRocks.G3
  • GAV:13651 EternalRocks.G2
  • GAV:13657 EternalRocks.G1

There are also existing IPS signatures detecting the SMB traffic:

  • IPS:12800 Windows SMB Remote Code Execution (MS17-010) 3
  • IPS:12801 Windows SMB Remote Code Execution (MS17-010) 4
  • IPS:12792 Windows SMB Remote Code Execution (MS17-010) 2
  • IPS:12794 Windows SMB Invalid Trans Session Setup Request
  • IPS:12795 EternalBlue MS17-010 Echo Response
  • IPS:12796 Suspicious CIFS Traffic 13
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.