THE AUTHOR OF a new worm that had the potential to spread faster than WannaCry appears to have called it quits.
'EternalRocks' is a combination of four NSA exploits and associated attack tools, including EternalBlue (the vector that carried the WannaCry ransomware). The worm, also known as MicroBotMassiveNet, was discovered by Miroslav Stampar, a security researcher and member of the Croatian government's computer emergency response team (CERT), earlier this week. Once weaponised, he said, it could have a much greater impact than WannaCry.
Stampar said that EternalRocks spreads using the NSA's EternalBlue, EternalChampion, EternalRomance and EternalSynergy SMB exploits, along with related attack tools DoublePulsar, ArchiTouch and SMBTouch.
When discovered, the worm had no payload or malicious component, but was spreading itself through a two-stage process. In the first stage, vulnerable Windows computers (those that had still not been patched to fix the MS17-010 vulnerability used by WannaCry) were infected; .NET components were downloaded and an executable file was used to download and run the Tor web browser, as well as command and control communications.
The second stage used the Tor browser to download another executable for a .onion domain, after 24 hours; this, in turn, downloaded the NSA exploits.
Security commentators have said that EternalRocks appears to have been designed as a launchpad for future attacks. However, Stampar has released an update through a GitHub post, where he says that the command and control page for EternalRocks now enables registration for a forum, containing two messages.
The first message tells people that EternalRocks is not dangerous and was developed so that the other could "play" with them. In the second message, the author absolves themselves of all responsibility by claiming that all they were doing was using the NSA tools for their intended purpose.
Stampar says that the EternalRocks code has been updated: it now downloads a dummy executable file, instead of the NSA tools. He told Bleeping Computer: "[I]t seems that I captured [the] author's worm in testing phase. It had great potential, though. Anyway, I suppose that he got scared because of all this fuzz [sic] and just dropped everything before being blamed for even something he didn't do."
First message: "Its not ransomware, its not dangerous, it just firewalls the smb port and moves on. I wanted to play some games with them, considering I had visitors, but the news has to much about weaponized doomsday worm eternal rocks payload. much thought to be had... ps: nsa exploits were fun, thanks shadowbrokers!"
Second message: "btw, all I did, was use the NSA tools for what they were built, I was figuring out how they work, and next thing I knew I had access, so what to do then, I was ehh, I will just firewall the port, thank you for playing, have a nice a day." µ
But it might never see the light of a PC bay
It's nothing we haven't seen before, but it's still the best iPhone yet
Firm gives scanner flaw the finger
Ermine is the same but stoat-ally different