The NSA vulnerabilities related to the Windows SMB exploit have proven to be quite problematic. Multiple types of ransomware are exploiting this issue with an astonishing rate of success so far. Unfortunately, it appears this vulnerability has also spawned a new worm spreading through the SMB protocol. This particular worm uses seven different NSA tools to cause as much havoc as possible. Rest assured this is only a sign of what is yet to come.
SMB Worm is A Very Big Problem For Windows Users
For the people who believed the WannaCry ransomware was the biggest concern, reality has a funny way of making things a lot worse than originally assumed. A new Windows worm is making use of the same SMB exploits abused by the WannaCry ransomware and a few other types of malicious software which have come to market in its wake. This new worm proves to be quite a big problem, though.
To be more specific, the worm makes use of not just two recently disclosed NSA exploits, but seven. WannaCry looks like a very small threat compared to the havoc this SMB worm is capable of causing right now. For the time being, researchers have dubbed this worm as “EternalRocks,” and it uses six different SMB-centric NSA tools to infected computers all over the world.
As one would expect, the EternalBlue exploit is one of the vulnerabilities, together with a few other exploits the NSA has developed in-house over the past few years. As soon as EternalRocks successfully infected a computer, it uses a seventh NSA exploit – dubbed DOUBLEPULSAR – to spread itself to other vulnerable machines. Stopping this worm in its tracks will be an incredibly difficult task, to say the least.
While security researchers agree EternalRocks is far more complex, they also seem to think this SMB worm is far less dangerous. It does not deliver malicious content such as ransomware or a keylogger right now, although that may only be a matter of time until this changes. It also appears the EternalRocks worm uses a Tor-based command & control server to communicate with once it successfully infected a computer. The response from this server will come 24 hours after the infected host sent information to the server. This delay should help bypass sandbox security.
Unfortunately, it doesn’t appear this SMB worm comes with a kill switch domain security researchers can use to shut it down. That could prove to be quite a problematic development, as stopping a worm with the potential of infecting millions of computers in a short amount of time only becomes more difficult now. Things will only get worse once this worm gets weaponized with a malicious payload. Rest assured some criminals will look to exploit this potential in the future.
Thinking EternalRocks is harmless is one of the biggest mistakes security experts can make right now. The current iteration does not come with a malicious payload, but it is also clearly a sample of what may come in the future. The DOUBLEPULSAR exploit can be used by other assailants who want to gain backdoor access to computers. It is evident the SMB protocol is causing a lot of security problems for Windows users right now, and solving this problem will prove to be a major challenge.
If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.