New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two (bleepingcomputer.com) 115
An anonymous reader writes: Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. Named EternalRocks, the worm seems to be in a phase where it is infecting victims and building its botnet, but not delivering any malware payload.
EternalRocks is far more complex than WannaCry's SMB worm. For starters, it uses a delayed installation process that waits 24 hours before completing the install, as a way to evade sandbox environments. Further, the worm also uses the exact same filenames as WannaCry in an attempt to fool researchers of its true origin, a reason why the worm has evaded researchers almost all week, despite the attention WannaCry payloads have received.
Last but not least, the worm does not have a killswitch domain, which means the worm can't be stopped unless its author desires so. Because of the way it was designed, it is trivial for the worm's owner to deliver any type of malware to any of the infected computers. Unfortunately, because of the way he used the DOUBLEPULSAR implant, one of the seven NSA hacking tools, other attackers can hijack its botnet and deliver their own malware as well. IOCs are available in a GitHub repo.
Ars Technica quotes security researchers who say "there are at least three different groups that have been leveraging the NSA exploit to infect enterprise networks since late April... These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch."
EternalRocks is far more complex than WannaCry's SMB worm. For starters, it uses a delayed installation process that waits 24 hours before completing the install, as a way to evade sandbox environments. Further, the worm also uses the exact same filenames as WannaCry in an attempt to fool researchers of its true origin, a reason why the worm has evaded researchers almost all week, despite the attention WannaCry payloads have received.
Last but not least, the worm does not have a killswitch domain, which means the worm can't be stopped unless its author desires so. Because of the way it was designed, it is trivial for the worm's owner to deliver any type of malware to any of the infected computers. Unfortunately, because of the way he used the DOUBLEPULSAR implant, one of the seven NSA hacking tools, other attackers can hijack its botnet and deliver their own malware as well. IOCs are available in a GitHub repo.
Ars Technica quotes security researchers who say "there are at least three different groups that have been leveraging the NSA exploit to infect enterprise networks since late April... These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch."
This is windows calling... (Score:5, Funny)
Your computer have virus.
Re: This is windows calling... (Score:5, Funny)
Re: (Score:2)
Sure Windows, you sound legit with your Indian accent. Access as needed. O.....sorry I'm not paying. Btw, you're also locked in a virtualized Windows platform on Debian. Thanks for playing
Windows is sand-boxed inside of a VM instance for me.
Re: (Score:2)
Windows has degraded so badly I don't think anyone competent should run it outside a VM for any purpose other than badly-made games anymore.
On the other hand, I don't watch TV at all, nor do I play AAA games, so I'm rather ill informed about today's DRM. As for games, everything I've tried recently works fine in wine with issues restricted to details like:
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Sounds like youre at the place to work man! Lucky you. The lot of these poor saps get forced to use shitware.
Re: (Score:3)
Are these posters active in the workforce? Every relevant office in the world uses windows.
My last job where I interacted with any office workers (sales, accountants) ended 5 years ago. It looks like such software has mostly moved inside the browser, too, which trades local deployment problems (a nightmare!) for browser incompatibility issues (MSIE being mostly dead, this seems to be a solved issue). I'm not a web developer, either.
And in rare cases when I have to test something on Windows, it's the very reason I keep a Windows VM! And more importantly, not just one but a whole array of them.
Re: (Score:2)
Yeah - windows has no way to run vms, you'd have to use physical partitions for some reason.
Windows as a host can run VMs, but it really sucks when it comes to managing them. Even the basics you take for granted on Unix, like dd, scp, rsync, are missing, and don't work well if you try anyway. On the other hand, even without any external tools, with nothing but basic qemu+btrfs, on Linux you get thin provisioning, discard, snapshots, deduplication, O(changes) backup, and so on, out of the box.
Writing software IN a vm for Windows seems bizarrely painful.
It's strictly less painful than writing outside a VM.
I get that windows has problems but keeping a clean windows system for visual studio (when I'm doing that) is simply not a problem.
Try when an external component you're using has two
Re: (Score:2)
I haven't used Windows for work or personal reasons in about 12 years. The only exception being about a half-dozen times that I've run it in a VM to see if the Windows version of our product still compiled and ran according to the instructions.
I am very actively employed at a global top 10 software vendor. Do you think I need to get out more?
Depends on the sector (Score:2)
Are these posters active in the workforce? Every relevant office in the world uses windows.
{...} But out here in the functional world, windows is everywhere.
Depends of the field you work.
Academic research ?
Specially in fields like computational biology ?
It's going to be exclusively UNIX.
With Mac OS X being a bit more popular on the laptops and workstations of the researchers,
and Linux having monopoly on the servers and compute nodes.
Re: (Score:2)
Re: This is windows calling... (Score:1)
Re: (Score:2)
so how many times should they pay for that one install?
Re: (Score:2)
There was a video on YouTube last year of a guy who managed to convince the scammer that the scammer's own PC was broken and then walking him through how to go into the BIOS and fix it. Of course, the change he made to the BIOS actually made the machine unbootable and possibly unrecoverable.
Most of the scammers are just working from a script. They don't know anything and are easy to mess with. Must be weird doing that for a living though.
Re: (Score:2)
> Btw, you're also locked in a virtualized Windows platform on Debian.
You've almost got it right. you just need to add something along the lines of;
And, just because I consider you one of my really special friends, I've got this really cool little tool tcpdump running on it and hey! Is that your IP address? Huh. I wonder what other those kooky nuts over at /b/ will make of that? ...Oh, he hung up.
Re: (Score:2)
You've got worm! - AOL
Re: (Score:2)
Ooh! That's an old one! Haven't seen it in the wild, but I can remember when it was doing the rounds.
Re: (Score:3)
So does this one support Win10? Virus writers seem stuck in the past.
Re: (Score:1)
So does this one support Win10? Virus writers seem stuck in the past.
Wut!?
Win10 *IS* a virus!!
I guess it's virii all the way down. :)
Strat
Re: (Score:1)
You're right. Windows 10 isn't a virus, it's malware.
Re: (Score:1, Informative)
The Internet's full of SMB worms (Score:2)
ooh, i am so outraged (Score:1, Insightful)
Be sure to spin rhetoric about "NSA" and "CIA" freakouts harder than the actual technical details, as usual!
Re: (Score:2, Insightful)
Why shouldn't we? The technical details are not of interest to a general audience, and are already available to those who do have a vested interest.
The bottom line, however, is that the NSA knowingly endangered the entire country by failing to disclose vulnerabilities in our digital infrastructure. The "its not their job" argument is bullshit. They acted unethically (to but it way to mildly), and the people who pay their salaries are now being hacked because of it.
Not cool.
Re: (Score:2)
Why shouldn't we? The technical details are not of interest to a general audience, and are already available to those who do have a vested interest.
This is slashdot, whose motto is "news for nerds". Granted, this isn't 2600, but I think getting more to the technical side is at least somewhat warranted.
I honestly despise slashdot's articles that remain the political realm without getting down to some kind of science or engineering (unless it's some sort of life altering event like 9/11 or something.)
The Viri (Score:2)
Why? Is there not enough information to fill the 24 hour news cycle with Trump in the US, Erdogan in Turkey, the Brexit in Europe, ad infinitum...
Or, and I don't have the tinfoil hat on but it's out of the drawer, will these be used to somehow shunt internet freedoms as the powers that be protect us from another Boogeyman.
Re: (Score:1)
Since being a security company is more a matter of marketing than skill (in a great many cases: look at the most popular anti-viruses), once the white hats [medium.com] realized that, they did it more.
Re: (Score:2)
No.
Re: Unix-based (Score:1)
Re: (Score:2)
Re: (Score:1)
If you only followed the news in the past month, you'd notice that Windows vulnerabilities and attack tools were only dumped just after Linux/Solaris/MacOS/Android exploit tools were released by the same group, ShadowBrokers.
No qord from the NSA? (Score:3, Interesting)
Why has the NSA, who know exactly what weaponized exploits were broadcast to the world. . . Why has the NSA not offered-up any antidotes to their now-public weaponization of a bunch of sploits?
They could swoop in and try to look like the hero here, but there's been no sign of that. Not a peep from the NSA.
Are they just making popcorn and watching the fallout because they think they are computer GODS, enjoying watching the plebes fight all of these forthcoming worms and trojans just to get themselves off before going back to work reducing the security of the USA by continuing to develop more of the same?
Re:No qord from the NSA? (Score:5, Insightful)
Re: (Score:3)
They released patches for EternalBlue and related exploits AFTER the ShadowBrokers released them.
Microsoft didn't release patches for older versions of Windows until the day after the attack on the NHS.
Re: (Score:2)
EternalBlue patches for older OSs were made generally available on 15 May, 3 days after Wannacry attacks were reported on a large scale. This is despite the fact that the exploit Wannacry used for the EternalBlue vulnerability failed to work on XP due to differences in the OS.
Re: (Score:2)
Microsoft patching older OSes that are no longer supported was a free gift. Any business running XP or Server 2003 without a custom support contract is taking a big risk gamble.
I realize Slashdot loves to hate MS - and their war on Linux was good motivation - but MS really acted responsively on WannaCry.
Re:No word from the NSA? (Score:5, Insightful)
Wakey wakey sleepyhead....
When the NSA realized that the code had been stolen & likely to be released, they communicated the SMB bug to Microsoft who then released patches for their "maintained" OS's two months ago. It is because of this that they were able to release patches for their out of maintenance OSes as soon as Wannacry started spreading.
Did you just imply that if the NSA said "here's a patch, please apply it globally" that you would apply it blindly?!? I'm not one of the people calling for the NSA to be the world's beta testing organization by buying up all the bugs on the internet & then handing them off to makers so that they patch their code, but even I wouldn't apply a NSA patch blindly like that.
The NSA is not Trump with hourly Twitter updates direct from them to the world. They'll always communicate through proxies.
They are waiting (Score:2)
for the system to be infected then take them over from the virus writers discretely
Re:No qord from the NSA? (Score:5, Insightful)
I hate to interrupt a good blame fest, but every Windows computer comes with a program that downloads updates (fixes) from Microsoft and approximately zero Windows computers come with a program that downloads updates from the NSA. So how would the NSA distribute fixes, if they wanted to?
Microsoft already released fixes, so what makes you think the NSA didn't provide the information needed to the people who are in a position to distribute fixes?
Re: (Score:1)
I hate to interrupt a good blame fest, but every Windows computer comes with a program that downloads updates (fixes) from Microsoft and approximately zero Windows computers come with a program that downloads updates from the NSA.
What if I told you... That one program does both ?
Re: (Score:3)
What really bugs me is that shit continuously leaks out of the NSA. Just pours the fuck out. What do we pay them for? I mean really what use is a spy organization that gets the fuck hacked out of it all the damn time? Billions of dollars and the secrets we pay through the nose to acquire are out for every asshole in the world to use. And not a single damn incompetent cocksucker gets fired! On 9/11 we get hit by fuckers that they knew were here, they had a report they were learning to fly but weren't interes
Re: (Score:2)
Re: (Score:2)
Or everybody could just quit panicking and patch their systems.
I tried.
I downloaded MS17-010 for 64 bit Win 7 (which I run in my work laptop), and after churning for a few mins, it said that the Update Wasn't Installed.
So I simply disabled SMB1 and am hoping for the best.
If anyone has any ideas, I'd love to hear them!
Re: (Score:2)
Re: (Score:2)
Disabling SMB1 is not enough to stop the EternalRocks worm, which includes the EternalChampion (SMB2) and EternalSynergy (SMB3) exploits.
Have I mentioned that I hate Windows?
liability (Score:1, Insightful)
Re: (Score:2)
Just add verbiage to the clickwrap saying "we're not legally liable. also, binding arbitration." Oh wait the clickwrap already says that. You mean a new law that mandates liability? Simple, contracts say "you agree to keep this machine airgapped" in a 'crumple-zone' clause that everyone expects to be violated yet is designed to not affect the rest of the contract when it is. Ok MS agreed to provide a secure product... but only those who violated the contract were infected and could be party to a class-actio
Glad I killed off SMB v.1 (Score:5, Informative)
If you haven't looked into it yet and you're running Windows 7 and above, disable SMB v.1 on Windows as server or client [microsoft.com]. There's not much reason to maintain it unless you have older hardware/software that relies on it (XP, Windows Server 2003). v.1 is slower and completely replaced by SMB v.2 and v.3.
Re: (Score:2)
Useful Info (Score:2)
Dear NSA, (Score:2)
What goes around is apparently coming around - thanks a lot for that.
Seems that whole "(our) security through (your) obscurity" thing has a few wrinkles in it.
Sincerely,
The people you're supposed to be protecting.
I've configured my firewall (Score:2)
I've got a printer and NAS on my network, I know the printer uses SMB but not sure of the NAS.
Re: (Score:2)
Sonos requires SMB1 for locally-stored content (Score:4, Interesting)
Ned Pyle and others have eloquently described why everyone should drop SMB1 support, yet NAS suppliers and Sonos continue to ship products that use SMB1.
Despite being deprecated by MSFT for years, SMB1 is alive and well with Sonos. There is no SMB2+ support, there is no timeline nor any commitment to add SMB2+ support. Please note: this issue only affects those that use Sonos with a local file server such as a NAS, your PC, etc. to store the music library and then make it accessible via the LAN.
I don't understand how a company that prides itself on making premium audio products doesn't put security ahead of other software development priorities. One juicy scandal can cause way more damage than the modest cost of implementing readily-available SMB2-3.11 server/client software packages.
SMB1 support on the Sonos, if allowed at all, should be on a opt-in basis, with adequate warnings to consumers re: potential pitfalls. Modern incarnations of SMB servers have NTLM v1 and SMB1 support turned off by default for a reason.
Stop choosing non-freedom. (Score:2)
I'm not familiar with this product or Sonos but this sounds proprietary.
Re: (Score:2)
"We can't upgrade the servers because we have some crappy old photocopiers."
You know who says things like that? People who get WanaCry outbreaks in their systems.
You can't have your cake and eat it too.
One of these days (Score:2)
some talented hacker will turn their attention to wiping out all records of student loans and consumer debt. Heck, maybe even mortgages.
We can only hope...
Re: (Score:2)
A 21st century Fight Club?
F the NSA (Score:2, Insightful)
They are an enemy of the United States. Arrest them and take their computers.
Re: (Score:2)
That's great advice but see my note below, if you want to run a Sonos from a file server as intended, you have to have SMB1 (NT1) enabled on that file server, which means also enabling NTLM v1 authentication.
Yes, there is a complicated workaround by using Plex or subsonic as a means of feeding the Sonos data without the need for SMB1 insecurity, but implementing this system is not the faint of heart. Plus, with every new service enabled on the server, you add more potential exploits.
All I want is to be able