EternalRocks Computer Worm

May 26, 2017

EternalRocks is a malware taking use of the Shadow Broker's NSA leak exploiting multiple SMB vulnerabilities. EternalRocks emerged earlier than WannaCry and multiple variants have been observed since its first appearance. However, the developer of the EternalRocks SMB worm appears to have shut down his operation after the intense focus from the media. [ref]

EternalRocks spreads by exploiting multiple SMB vulnerability after it affects the targets and downloads the payload. The following are some network traffic:

Here is the write file operations:

The downloaded exploits have been observed in the following directory:

In the config directory there are configuration files with exploits names:

SonicWall Threat Research team has researched this malware and released the following signatures to cover them:

  • GAV:13638 EternalRocks.G6
  • GAV:13639 EternalRocks.G5
  • GAV:13640 EternalRocks.G4
  • GAV:13648 EternalRocks.G3
  • GAV:13651 EternalRocks.G2
  • GAV:13657 EternalRocks.G1

There are also existing IPS signatures detecting the SMB traffic:

  • IPS:12800 Windows SMB Remote Code Execution (MS17-010) 3
  • IPS:12801 Windows SMB Remote Code Execution (MS17-010) 4
  • IPS:12792 Windows SMB Remote Code Execution (MS17-010) 2
  • IPS:12794 Windows SMB Invalid Trans Session Setup Request
  • IPS:12795 EternalBlue MS17-010 Echo Response
  • IPS:12796 Suspicious CIFS Traffic 13