New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

Discussion in 'malware problems & news' started by itman, May 19, 2017 at 7:21 PM.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,012
    Location:
    U.S.A.
    Here we go again ...........
    https://www.bleepingcomputer.com/ne...ven-nsa-hacking-tools-wannacry-used-just-two/
     
  2. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    3,093
    Just awesome. :\
     
  3. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    2,350
    Location:
    DC Metro Area
    "...During the first stage, EternalRocks installs TOR as a C&C communications channel.

    The second stage doesn’t begin immediately; instead, the C&C server waits 24-hours before responding with shadowbrokers.zip. Stampar said the delayed downloader for the zipped file, which contains NSA hacking tools leaked by the Shadow Brokers, seems to be 'a full scale cyber weapon.'

    After that is unpacked, the EternalRocks worm begins scanning for open 445 ports on the internet and pushes the first stage of the malware through payloads.

    There is no kill
    switch like there was in WannaCry. Stampar told Bleeping Computer, 'The worm is racing with administrators to infect machines before they patch. Once infected, he can weaponize any time he wants, no matter the late patch.'

    The second stage of the infection currently has a detection rate of 45/61 on VirusTotal, but Stampar warned that EternalRocks was 'going to be huge.'

    http://www.networkworld.com/article...uses-7-nsa-hacking-tools.html#tk.rss_security
     
  4. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    2,350
    Location:
    DC Metro Area
    "EternalRocks leaves backdoor trojan for remote access to infected machines...

    The Good News

    EternalRocks does not appear to have been weaponized (yet). No malicious payload – like ransomware – is unleashed after infecting a computer.

    The Bad News

    Even if SMB patches are retroactively applied machines infected by the EternalRocks worm are left remotely accessible via the DOUBLEPULSAR backdoor trojan. The DOUBLEPULSAR (backdoor trojan) installation left behind by EternalRocks is wide open. Whether on purpose or not the result is that other hackers could use DOUBLEPULSAR to access machines infected by EternalRocks.

    What you should do

    Block external access to SMB ports on the public internet\
    Patch all SMB vulnerabilities
    Block access to C&C servers (ubgdgno5eswkhmpy.onion) and block access to Torproject.org while you are at it
    Monitor for any newly added scheduled tasks
    A DOUBLEPULSAR detection script is available on Github
    Make sure DatAlert Analytics is up to date monitoring your organization for insider threats...

    https://blog.varonis.com/eternalrocks/
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,012
    Location:
    U.S.A.
    Per the NetworkWorld article:
    I have been stating this repeatedly. It is fair to assume that any of the NSA exploits that originally employed temporary backdoors have been "tweaked" to make those backdoors permanent. Probably best advice for anyone hacked by any of these SMB exploits is to reformat and reinstall the OS on any infected device.
     
  6. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    715
    Good work itman.
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,036
    Location:
    USA
    If you guys don't need SMB file sharing then you can just turn it off, and that should remove any vulnerability to the SMB exploits that have been dumped that i'm aware of. I don't know what all other services are dependent on SMB so disable at your own risk. Don't test on production machines without being certain. You can always reenable it if you run into problems at home.

    https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
    1. Open Control Panel, click Programs, and then click Turn Windows features on or off.
    2. In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
    3. Restart the system.

    For server operating systems:

    1. Open Server Manager and then click the Manage menu and select Remove Roles and Features.
    2. In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
    3. Restart the system.
     

    Attached Files:

    • SMB.jpg
      SMB.jpg
      File size:
      73.3 KB
      Views:
      6
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,308
    I don't even see them listed in my features box. what does that mean.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,036
    Location:
    USA
    I'm using Windows 10 X64 Professional. I'm not sure if it's the same for all versions of Windows, but I think it is from Windows 7 or maybe even Vista up. Just go to Control Panels / Programs / Turn Windows Features On or Off. Then untick, "SMB 1.0/CIFS File Sharing Support", and click ok. That should turn off SMB service responsible for the SMB exploits that I have looked into so far. It's one of the recommendations by Microsoft. I have not looked into the latest leaked exploits so i'm not sure it will mitigate them all.
     
  10. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,200
    Thanks, CE

    Just have to restart....

    Windows_Control Panel_Turn Windows features on or off_01.JPG > Windows_Control Panel_Turn Windows features on or off_02.JPG > Windows_Control Panel_Turn Windows features on or off_03.JPG
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,036
    Location:
    USA
  12. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,200
    :thumb: Back...Easy peasy! :)
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    6,360
    I have similar "problem". I suspect that some tweak that I did in past removed it from feature list :confused:
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,036
    Location:
    USA
    That makes me wonder if you guys are vulnerable to SMB exploits. Maybe you don't even have it installed on your machines.
     
  15. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,200
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    6,360
    I don't think I am. I updated my OS, FW is blocking incoming communications on those ports and I also have file and printer sharing disabled.
    Yes, I've run sc.exe config commands when I didn't find that option in installed features section.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    18,308
    I've looked also, but I wonder is I have powershell blocked in Appguard makes a difference.
     
  18. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,374
    Location:
    Europe then Asia
    removed smb1.0 at every clean install of my OS since win7:D
     
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    6,360
    You also don't have it listed in add/remove features? If yes, how did you achieve this?
     
  20. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,374
    Location:
    Europe then Asia
    @Minimalist i have it listed so i just untick the box (as well for any unneeded features) and reboot.
     
  21. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,107
    Location:
    Paris
    OMG- a 24 hour sleep delay prior to malware activation? That's really rude of the Blackhats (I mean we do, kind of, have a Life...).
     
  22. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    6,360
    That's great. Unfortunately I don't have it listed and can't disable it that way...
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    4,012
    Location:
    U.S.A.
    A word of caution. Microsoft does not recommend disabling SMB v2 or v3 as noted in the above posted link:
    However, they don't state the basis for that recommendation.
     
  24. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    3,374
    Location:
    Europe then Asia
    what is your OS?
     
  25. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,685
    Peter and Minimalist,

    I too don't have it on Win-7 Pro 64-bit.
    I use the Dutch version of Windows, so things are different named.
    Configuratiescherm > Programma's > Programma's en onderdelen > Windows-onderdelen in- of uitschakelen >
    There is no "SMB1.0/CIFS File Sharing Support" mentioned there.
     
Loading...