New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

Here we go again ...........

https://www.bleepingcomputer.com/ne...ven-nsa-hacking-tools-wannacry-used-just-two/

 

Just awesome. :\

 

"...During the first stage, EternalRocks installs TOR as a C&C communications channel.

The second stage doesn’t begin immediately; instead, the C&C server waits 24-hours before responding with shadowbrokers.zip. Stampar said the delayed downloader for the zipped file, which contains NSA hacking tools leaked by the Shadow Brokers, seems to be 'a full scale cyber weapon.'

After that is unpacked, the EternalRocks worm begins scanning for open 445 ports on the internet and pushes the first stage of the malware through payloads.

There is no kill switch like there was in WannaCry. Stampar told Bleeping Computer, 'The worm is racing with administrators to infect machines before they patch. Once infected, he can weaponize any time he wants, no matter the late patch.'

The second stage of the infection currently has a detection rate of 45/61 on VirusTotal, but Stampar warned that EternalRocks was 'going to be huge.'

http://www.networkworld.com/article...uses-7-nsa-hacking-tools.html#tk.rss_security

 

"EternalRocks leaves backdoor trojan for remote access to infected machines...

The Good News

EternalRocks does not appear to have been weaponized (yet). No malicious payload – like ransomware – is unleashed after infecting a computer.

The Bad News

Even if SMB patches are retroactively applied machines infected by the EternalRocks worm are left remotely accessible via the DOUBLEPULSAR backdoor trojan. The DOUBLEPULSAR (backdoor trojan) installation left behind by EternalRocks is wide open. Whether on purpose or not the result is that other hackers could use DOUBLEPULSAR to access machines infected by EternalRocks.

What you should do

Block external access to SMB ports on the public internet\
Patch all SMB vulnerabilities
Block access to C&C servers (ubgdgno5eswkhmpy.onion) and block access to Torproject.org while you are at it
Monitor for any newly added scheduled tasks
A DOUBLEPULSAR detection script is available on Github
Make sure DatAlert Analytics is up to date monitoring your organization for insider threats...

https://blog.varonis.com/eternalrocks/

 

Per the NetworkWorld article:

I have been stating this repeatedly. It is fair to assume that any of the NSA exploits that originally employed temporary backdoors have been "tweaked" to make those backdoors permanent. Probably best advice for anyone hacked by any of these SMB exploits is to reformat and reinstall the OS on any infected device.

 

Good work itman.

 

If you guys don't need SMB file sharing then you can just turn it off, and that should remove any vulnerability to the SMB exploits that have been dumped that i'm aware of. I don't know what all other services are dependent on SMB so disable at your own risk. Don't test on production machines without being certain. You can always reenable it if you run into problems at home.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
3. Restart the system.
   

For server operating systems:

1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
3. Restart the system.

 

I'm using Windows 10 X64 Professional. I'm not sure if it's the same for all versions of Windows, but I think it is from Windows 7 or maybe even Vista up. Just go to Control Panels / Programs / Turn Windows Features On or Off. Then untick, "SMB 1.0/CIFS File Sharing Support", and click ok. That should turn off SMB service responsible for the SMB exploits that I have looked into so far. It's one of the recommendations by Microsoft. I have not looked into the latest leaked exploits so i'm not sure it will mitigate them all.

 

Thanks, CE

Just have to restart....

> >

 

.

No problem.

 

Back...Easy peasy!

 

I have similar "problem". I suspect that some tweak that I did in past removed it from feature list

 

That makes me wonder if you guys are vulnerable to SMB exploits. Maybe you don't even have it installed on your machines.

 

This may help:
How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server - https://support.microsoft.com/en-us...smbv2-and-smbv3-in-windows-and-windows-server

 

I don't think I am. I updated my OS, FW is blocking incoming communications on those ports and I also have file and printer sharing disabled.

Yes, I've run sc.exe config commands when I didn't find that option in installed features section.

 

removed smb1.0 at every clean install of my OS since win7

 

You also don't have it listed in add/remove features? If yes, how did you achieve this?

 

@Minimalist i have it listed so i just untick the box (as well for any unneeded features) and reboot.

 

OMG- a 24 hour sleep delay prior to malware activation? That's really rude of the Blackhats (I mean we do, kind of, have a Life...).

 

That's great. Unfortunately I don't have it listed and can't disable it that way...

 

A word of caution. Microsoft does not recommend disabling SMB v2 or v3 as noted in the above posted link:

However, they don't state the basis for that recommendation.

 

what is your OS?

 

Peter and Minimalist,

I too don't have it on Win-7 Pro 64-bit.

There is no "SMB1.0/CIFS File Sharing Support" mentioned there.