Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Government

New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two (bleepingcomputer.com) 115

An anonymous reader writes: Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two. Named EternalRocks, the worm seems to be in a phase where it is infecting victims and building its botnet, but not delivering any malware payload.

EternalRocks is far more complex than WannaCry's SMB worm. For starters, it uses a delayed installation process that waits 24 hours before completing the install, as a way to evade sandbox environments. Further, the worm also uses the exact same filenames as WannaCry in an attempt to fool researchers of its true origin, a reason why the worm has evaded researchers almost all week, despite the attention WannaCry payloads have received.

Last but not least, the worm does not have a killswitch domain, which means the worm can't be stopped unless its author desires so. Because of the way it was designed, it is trivial for the worm's owner to deliver any type of malware to any of the infected computers. Unfortunately, because of the way he used the DOUBLEPULSAR implant, one of the seven NSA hacking tools, other attackers can hijack its botnet and deliver their own malware as well. IOCs are available in a GitHub repo.

Ars Technica quotes security researchers who say "there are at least three different groups that have been leveraging the NSA exploit to infect enterprise networks since late April... These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch."
This discussion has been archived. No new comments can be posted.

New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

Comments Filter:
  • by Anonymous Coward on Saturday May 20, 2017 @06:04PM (#54456361)

    Your computer have virus.

    • by thundercattt ( 4205847 ) on Saturday May 20, 2017 @06:21PM (#54456411)
      Sure Windows, you sound legit with your Indian accent. Access as needed. O.....sorry I'm not paying. Btw, you're also locked in a virtualized Windows platform on Debian. Thanks for playing
      • Sure Windows, you sound legit with your Indian accent. Access as needed. O.....sorry I'm not paying. Btw, you're also locked in a virtualized Windows platform on Debian. Thanks for playing

        Windows is sand-boxed inside of a VM instance for me.

        • Windows has degraded so badly I don't think anyone competent should run it outside a VM for any purpose other than badly-made games anymore.

          On the other hand, I don't watch TV at all, nor do I play AAA games, so I'm rather ill informed about today's DRM. As for games, everything I've tried recently works fine in wine with issues restricted to details like:

          • * gamepad not detected (around half of gamepad-using games, workaround: can emulate keyboard)
          • * insists on the wrong monitor if fullscreen (actually less
          • by Doke ( 23992 )
            I also believe windows is too unreliable to run on bare metal, and should be run in a VM. If nothing else, it lets you roll back to a snapshot before a bad patch. However, Microsoft deliberately makes that difficult. It turns out every time we VMotion a Windows VM, the cpu id changes, and invalidates the OS registration. Then after a month or so, it stops working. We have to re-register it after each move. That pretty much prevents us from using VMware's dynamic balancing. We've never found a way aro
      • by AmiMoJo ( 196126 )

        There was a video on YouTube last year of a guy who managed to convince the scammer that the scammer's own PC was broken and then walking him through how to go into the BIOS and fix it. Of course, the change he made to the BIOS actually made the machine unbootable and possibly unrecoverable.

        Most of the scammers are just working from a script. They don't know anything and are easy to mess with. Must be weird doing that for a living though.

      • > Btw, you're also locked in a virtualized Windows platform on Debian.

        You've almost got it right. you just need to add something along the lines of;

        And, just because I consider you one of my really special friends, I've got this really cool little tool tcpdump running on it and hey! Is that your IP address? Huh. I wonder what other those kooky nuts over at /b/ will make of that? ...Oh, he hung up.

    • You've got worm! - AOL

    • So does this one support Win10? Virus writers seem stuck in the past.

      • So does this one support Win10? Virus writers seem stuck in the past.

        Wut!?

        Win10 *IS* a virus!!

        I guess it's virii all the way down. :)

        Strat

  • Just look at Google [google.com]. Terrifying, just terrifying.
  • by Anonymous Coward

    Be sure to spin rhetoric about "NSA" and "CIA" freakouts harder than the actual technical details, as usual!

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Why shouldn't we? The technical details are not of interest to a general audience, and are already available to those who do have a vested interest.

      The bottom line, however, is that the NSA knowingly endangered the entire country by failing to disclose vulnerabilities in our digital infrastructure. The "its not their job" argument is bullshit. They acted unethically (to but it way to mildly), and the people who pay their salaries are now being hacked because of it.

      Not cool.

      • Why shouldn't we? The technical details are not of interest to a general audience, and are already available to those who do have a vested interest.

        This is slashdot, whose motto is "news for nerds". Granted, this isn't 2600, but I think getting more to the technical side is at least somewhat warranted.

        I honestly despise slashdot's articles that remain the political realm without getting down to some kind of science or engineering (unless it's some sort of life altering event like 9/11 or something.)

  • Though it's unlikely there are more malicious exploits out there than there has ever been, they've been getting more mainstream press.

    Why? Is there not enough information to fill the 24 hour news cycle with Trump in the US, Erdogan in Turkey, the Brexit in Europe, ad infinitum...

    Or, and I don't have the tinfoil hat on but it's out of the drawer, will these be used to somehow shunt internet freedoms as the powers that be protect us from another Boogeyman.

    • After heartbleed, security researchers realized you could give a vuln a catchy name and a cute logo and it would get a lot more attention.

      Since being a security company is more a matter of marketing than skill (in a great many cases: look at the most popular anti-viruses), once the white hats [medium.com] realized that, they did it more.
  • by Sir Holo ( 531007 ) on Saturday May 20, 2017 @06:45PM (#54456501)

    Why has the NSA, who know exactly what weaponized exploits were broadcast to the world. . . Why has the NSA not offered-up any antidotes to their now-public weaponization of a bunch of sploits?

    They could swoop in and try to look like the hero here, but there's been no sign of that. Not a peep from the NSA.

    Are they just making popcorn and watching the fallout because they think they are computer GODS, enjoying watching the plebes fight all of these forthcoming worms and trojans just to get themselves off before going back to work reducing the security of the USA by continuing to develop more of the same?

    • by bengoerz ( 581218 ) on Saturday May 20, 2017 @07:26PM (#54456629)
      Sure, it's just a coincidence that Microsoft released MS17-010 [microsoft.com] - a patch for multiple NSA-discovered vulnerabilities - several weeks before they were disclosed by Shadow Brokers.
      • by AmiMoJo ( 196126 )

        They released patches for EternalBlue and related exploits AFTER the ShadowBrokers released them.

        Microsoft didn't release patches for older versions of Windows until the day after the attack on the NHS.

        • The EternalBlue patch was released on 14 March for supported OSs and for customers with custom support for older OSs. Shadow Brokers released EternalBlue on 14 April.

          EternalBlue patches for older OSs were made generally available on 15 May, 3 days after Wannacry attacks were reported on a large scale. This is despite the fact that the exploit Wannacry used for the EternalBlue vulnerability failed to work on XP due to differences in the OS.
          • Correct.

            Microsoft patching older OSes that are no longer supported was a free gift. Any business running XP or Server 2003 without a custom support contract is taking a big risk gamble.

            I realize Slashdot loves to hate MS - and their war on Linux was good motivation - but MS really acted responsively on WannaCry.
    • by phayes ( 202222 ) on Saturday May 20, 2017 @07:28PM (#54456635) Homepage

      Wakey wakey sleepyhead....

      When the NSA realized that the code had been stolen & likely to be released, they communicated the SMB bug to Microsoft who then released patches for their "maintained" OS's two months ago. It is because of this that they were able to release patches for their out of maintenance OSes as soon as Wannacry started spreading.

      Did you just imply that if the NSA said "here's a patch, please apply it globally" that you would apply it blindly?!? I'm not one of the people calling for the NSA to be the world's beta testing organization by buying up all the bugs on the internet & then handing them off to makers so that they patch their code, but even I wouldn't apply a NSA patch blindly like that.

      The NSA is not Trump with hourly Twitter updates direct from them to the world. They'll always communicate through proxies.

    • for the system to be infected then take them over from the virus writers discretely

    • by MSG ( 12810 ) on Saturday May 20, 2017 @08:08PM (#54456785)

      I hate to interrupt a good blame fest, but every Windows computer comes with a program that downloads updates (fixes) from Microsoft and approximately zero Windows computers come with a program that downloads updates from the NSA. So how would the NSA distribute fixes, if they wanted to?

      Microsoft already released fixes, so what makes you think the NSA didn't provide the information needed to the people who are in a position to distribute fixes?

      • by Anonymous Coward

        I hate to interrupt a good blame fest, but every Windows computer comes with a program that downloads updates (fixes) from Microsoft and approximately zero Windows computers come with a program that downloads updates from the NSA.

        What if I told you... That one program does both ?

    • by amiga3D ( 567632 )

      What really bugs me is that shit continuously leaks out of the NSA. Just pours the fuck out. What do we pay them for? I mean really what use is a spy organization that gets the fuck hacked out of it all the damn time? Billions of dollars and the secrets we pay through the nose to acquire are out for every asshole in the world to use. And not a single damn incompetent cocksucker gets fired! On 9/11 we get hit by fuckers that they knew were here, they had a report they were learning to fly but weren't interes

  • liability (Score:1, Insightful)

    by Anonymous Coward
    Make commercial software companies legally liable.
    • by mentil ( 1748130 )

      Just add verbiage to the clickwrap saying "we're not legally liable. also, binding arbitration." Oh wait the clickwrap already says that. You mean a new law that mandates liability? Simple, contracts say "you agree to keep this machine airgapped" in a 'crumple-zone' clause that everyone expects to be violated yet is designed to not affect the rest of the contract when it is. Ok MS agreed to provide a secure product... but only those who violated the contract were infected and could be party to a class-actio

  • by Anonymous Coward on Saturday May 20, 2017 @07:21PM (#54456613)

    If you haven't looked into it yet and you're running Windows 7 and above, disable SMB v.1 on Windows as server or client [microsoft.com]. There's not much reason to maintain it unless you have older hardware/software that relies on it (XP, Windows Server 2003). v.1 is slower and completely replaced by SMB v.2 and v.3.

    • This is a good idea anyway, since there are several exploits in SMBv1 which were patched in the May 2017 release. i.e. after MS17-010 was released. So SMBv1 is getting a lot of extra attention, and there is still more ground for hi jinx there. I believe it is disabled by default in server 2012 R2
  • Every time another "ogodtheskyisfalling" article comes out covering a new/improved malware based on the leaked NSA toolbox I'm looking for a quick summary early in the article that says "this beastie will be a problem for Windows, probably Win7 and earlier; will not be a problem for Linux; probably won't be a problem for OS X." Or even a simple 0-10 ranking of "no problemo" to "burn your computer NOW!" for each of the three major platforms placed somewhere prominent in the article would be nice. For my le
  • What goes around is apparently coming around - thanks a lot for that.
    Seems that whole "(our) security through (your) obscurity" thing has a few wrinkles in it.

    Sincerely,
    The people you're supposed to be protecting.

  • TCP port 137, 139, and 445 are blocked, UDP ports 137 and 138 are blocked. So am I safe?

    I've got a printer and NAS on my network, I know the printer uses SMB but not sure of the NAS.
  • by Constantin ( 765902 ) on Saturday May 20, 2017 @11:07PM (#54457417)

    Ned Pyle and others have eloquently described why everyone should drop SMB1 support, yet NAS suppliers and Sonos continue to ship products that use SMB1.

    Despite being deprecated by MSFT for years, SMB1 is alive and well with Sonos. There is no SMB2+ support, there is no timeline nor any commitment to add SMB2+ support. Please note: this issue only affects those that use Sonos with a local file server such as a NAS, your PC, etc. to store the music library and then make it accessible via the LAN.

    I don't understand how a company that prides itself on making premium audio products doesn't put security ahead of other software development priorities. One juicy scandal can cause way more damage than the modest cost of implementing readily-available SMB2-3.11 server/client software packages.

    SMB1 support on the Sonos, if allowed at all, should be on a opt-in basis, with adequate warnings to consumers re: potential pitfalls. Modern incarnations of SMB servers have NTLM v1 and SMB1 support turned off by default for a reason.

    • Despite being deprecated by MSFT for years, SMB1 is alive and well with Sonos. There is no SMB2+ support, there is no timeline nor any commitment to add SMB2+ support.

      I'm not familiar with this product or Sonos but this sounds proprietary.

      I don't understand how a company that prides itself on making premium audio products doesn't put security ahead of other software development priorities. One juicy scandal can cause way more damage than the modest cost of implementing readily-available SMB2-3.11 server/cli

  • some talented hacker will turn their attention to wiping out all records of student loans and consumer debt. Heck, maybe even mortgages.

    We can only hope...

  • F the NSA (Score:2, Insightful)

    by WCMI92 ( 592436 )

    They are an enemy of the United States. Arrest them and take their computers.

I am a computer. I am dumber than any human and smarter than any administrator.

Working...