the latest smb botnet uses seven nsa tools, while wannacry uses only two

Posted by deaguero at 2020-03-10

Recently, researchers have detected a new worm spreading through SMB, but it is different from wannacry's blackmail software worm. This worm uses seven NSA tools, while wannacry only uses two. Does this mean that the worm will bring more serious impact on the global network?

It is reported that the worm was found by security researcher Miroslav Stampar (a member of the Croatian government cert and a developer of the sqlmap tool used to detect and exploit SQL injection vulnerabilities) in his built SMB honeypot on Wednesday (May 17).

Seven NSA tools are used by eternal rocks

The worm was named "eternal rocks" by Stampar. Researchers found the executable properties of the worm in a sample. It infected computers on the network that exposed SMB ports by using six NSA tools around SMB. Four NSA tools, etrnalblue, etrnalchampion, etrnallomance, and etrnalsynergy, are mainly used to attack SMB vulnerabilities on computer devices, while smbsource and archsource are two NSA tools for SMB vulnerability scanning.

Once the worm has acquired its initial foothold, it will use another NSA tool, doublepulsar, to infect other new vulnerable computers.


Wannacry ransomware, which affects more than 240000 victims, uses SMB vulnerabilities to infect computer devices and spread the virus to new victims.

However, unlike eternalrocks, wannacry's SMB worm only uses two NSA tools, eternalbus and doublepulsar. Eternalbus is used for initial attack and doublepulsar is used to spread virus to new devices. However, the discovered eternalrocks contain seven NSA tools as described above.

Eternal rocks are more complex, but less dangerous

As a worm, eternalrocks is far less dangerous than wannacry because it currently does not transmit any malicious content. However, that doesn't mean that eternal rocks is simple. According to Stampar, the opposite is true.

For starters, eternal rocks is more complex than wannacry's SMB worm component. Once the victim is successfully infected, the worm uses a two-stage installation process and delays the second stage.

In the first phase, eternalrocks obtains permissions on the infected host, then downloads the tor client and points it to a. Onion domain name C & C server located in the dark network.

The C & C server will respond only after a predefined sleep period (currently 24 hours). This long delay is likely to help worms bypass sandbox security detection and security researchers' analysis, because few people spend a whole day waiting for the C & C server to respond.

Kill switch domain name

In addition, eternalrocks uses the same file name as wannacry's SMB worm, another attempt to fool security researchers into misclassifying it.

But unlike wannacry, eternal rocks doesn't have a "kill switch.". In wannacry, security researchers have successfully blocked the propagation of wannacry by using the "switch domain name" function.

After the initial dormancy period expires, the C & C server will respond, and eternalrocks will start to enter the second stage of the installation process, downloading a second stage malware component named

Then, eternalrocks starts the IP quick scan process and tries to connect to any IP address.


Eternalrocks can be weaponized at any time

Due to the large number of NSA tools used by eternalrocks, the lack of "switch domain name" and the setting of dormancy period between the two installation processes, once the developers of eternalrocks decide to use blackmail software, bank Trojans, rat or anything else to weaponize them, then eternalrocks may pose a serious threat to those computers that expose vulnerable SMB ports to the network.

Initially, it seems that the worm is still in the process of testing, or its developers are testing the threat that the worm may realize in the future.

However, this does not mean that eternal rocks are harmless. In addition, the developer of the worm can use this hidden communication channel to send new malware to computers that have been previously infected by eternalrocks.

In addition, the NSA tool with backdoor function, doublepulsar, is still running on computers infected with eternal rocks. Unfortunately, the developers of eternalrocks did not take any measures to protect doublepulsar. Doublepulsar currently runs in the default unprotected state, which means that other attackers can also use the back door of the computer device that has infected eternalrocks and install new malware into the computer through the back door.

If you are interested, you can go to GitHub to see more information about IOCS and worm infection process.

Note the SMB port

At present, many attackers are scanning computers running older and non patched versions of SMB services. System administrators have also noticed this and started to fix computers with vulnerabilities or disable older versions of the smbv1 protocol, thus gradually reducing the number of machines infected by eternal rocks.  

In addition, many malware (such as adylkuzz) also shut down the SMB port to prevent further use by other threats, which also helps reduce the number of potential targets of eternal rocks and other SMB hunting malware. Reports from forecpoint, cyphart, and secdo detail other current threats to computers with SMB ports.

In any case, the sooner system administrators can patch their systems, the better. Stampar said,

"At present, there is a time race between the worm and the system administrator. If the worm successfully infects the computer before the administrator patches it, then its developers can weaponize it at any time, organize further attacks, and no matter when the patch can be patched later."

*Reference source: bleepingcomputer, compiled by Michelle, reprinted from