Newly Found Malware Uses 7 NSA Hacking Tools, Where WannaCry Uses 2

http://thehackernews.com/2017/05/smb-windows-hacking-tools.html?m=1

A security researcher has identified a new strain of malware that also spreads itself by exploiting flaws in
Windows SMB file sharing protocol, but unlike the WannaCry Ransomware that uses only two leaked
NSA hacking tools, it exploits all the seven.

Last week, we warned you about multiple hacking groups exploiting leaked NSA hacking tools, but
almost all of them were making use of only two tools: EternalBlue and DoublePulsar.

Now, Miroslav Stampar, a security researcher who created famous 'sqlmap' tool and now a member of
the Croatian Government CERT, has discovered a new network worm, dubbed EternalRocks, which is
more dangerous than WannaCry and has no kill-switch in it.

Unlike WannaCry, EternalRocks seems to be designed to function secretly in order to ensure that it
remains undetectable on the affected system.

However, Stampar learned of EternalRocks after it infected his SMB honeypot.

The NSA exploits used by EternalRocks, which Stampar called "DoomsDayWorm" on Twitter, includes:

EternalBlue SMBv1 exploit tool

EternalRomance SMBv1 exploit tool
EternalChampion SMBv2 exploit tool
EternalSynergy SMBv3 exploit tool
SMBTouch SMB reconnaissance tool
ArchTouch SMB reconnaissance tool
DoublePulsar Backdoor Trojan

As we have mentioned in our previous articles, SMBTouch and ArchTouch are SMB reconnaissance tools,
designed to scan for open SMB ports on the public internet.

Whereas EternalBlue, EternalChampion, EternalSynergy and EternalRomance are SMB exploits, designed
to compromise vulnerable Windows computers.

And, DoublePulsar is then used to spread the worm from one affected computers to the other
vulnerable machines across the same network.

Stampar found that EternalRocks disguises itself as WannaCry to fool security researchers, but instead of
dropping ransomware, it gains unauthorized control on the affected computer to launch future cyber
attacks.
Newly Found Malware Uses 7 NSA Hacking Tools, Where WannaCry Uses 2

http://thehackernews.com/2017/05/smb-windows-hacking-tools.html?m=1
Here's How EternalRocks Attack Works:

EternalRocks installation takes place in a two-stage process.

During the first stage, EternalRocks downloads the Tor web browser on the affected computers, which is
then used to connect to its command-and-control (C&C) server located on the Tor network on the Dark
Web.

"First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware)
downloads necessary .NET components (for later stages) TaskScheduler and SharpZLib from the
Internet, while dropping svchost.exe (e.g. sample) and taskhost.exe (e.g. sample)," Stampar says.

According to Stampar, the second stage comes with a delay of 24 hours in an attempt to avoid
sandboxing techniques, making the worm infection undetectable.

After 24 hours, EternalRocks responds to the C&C server with an archive containing the seven Windows
SMB exploits mentioned above.

"Component svchost.exe is used for downloading, unpacking and running Tor from
archive.torproject.org along with C&C (ubgdgno5eswkhmpy.onion) communication requesting further
instructions (e.g. installation of new components)," Stampar adds.

All the seven SMB exploits are then downloaded to the infected computer. EternalRocks then scans the
internet for open SMB ports to spread itself to other vulnerable systems as well.

If you are following The Hacker News coverage on WannaCry Ransomware and the Shadow Brokers
leaks, you must be aware of the hacking collective's new announcement of releasing new zero-days and
exploits for web browsers, smartphones, routers, and Windows operating system, including Windows
10, from next month.

The exclusive access to the upcoming leaks of zero-days and exploits would be given to those buying
subscription for its 'Wine of Month Club.' However, the Shadow Brokers has not yet announced the
price for the subscription.

Since the hackers and state-sponsored attackers are currently waiting for new zero-days to exploit,
there is very little you can do to protect yourself from the upcoming cyber attacks.
Newly Found Malware Uses 7 NSA Hacking Tools, Where WannaCry Uses 2

http://thehackernews.com/2017/05/smb-windows-hacking-tools.html?m=1
References:

https://github.com/stamparm/EternalRocks/

https://twitter.com/stamparm/status/864865144748298242 - SMB HOneypot

http://thehackernews.com/2017/04/windows-hacking-tools.html

http://thehackernews.com/2017/05/wannacry-ransomware-decryption-tool.html

http://thehackernews.com/2017/04/window-zero-day-patch.html

https://twitter.com/stamparm/status/865083810194608128

https://github.com/stamparm/EternalRocks/

https://twitter.com/stamparm/status/865007344630996992

http://thehackernews.com/2017/05/how-to-wannacry-ransomware.html

http://thehackernews.com/2017/05/netgear-router-analytics-data.html?m=1

https://www.dd-wrt.com/site/

*********************************************************************************

https://www.bleepingcomputer.com/news/hardware/ssd-drives-vulnerable-to-attacks-that-corrupt-
user-data/

During the past few years, SSDs have slowly replaced classic disk-based HDDs as the prime
storage medium for the world's data, taking over not only in data centers, but our phones, tablets,
laptops, and desktop PCs.
At their heart, SSDs are a collection of smaller components named NAND flash memory chips, all
clustered together on rows, similar to classic RAM memory chips. Unlike classic RAM memory chips,
NAND memory chips are non-volatile, meaning they don't lose their electrical charge (aka the user's
data) after the computer is shut off.
The first generation of SSD storage drives used a technology called single-level cell (SLC), which
used one NAND flash memory chip to store one bit of information, with "electrically charged"
standing for a binary one, and "not electrically charged" standing for a binary zero.
Newly Found Malware Uses 7 NSA Hacking Tools, Where WannaCry Uses 2

http://thehackernews.com/2017/05/smb-windows-hacking-tools.html?m=1
As with all technology, things evolved over the years, and scientists and SSD vendors realized they
could integrate a floating gate transistor into NAND flash memory chip, which gave them the ability
to store two bits of information in the form of a range of charge voltage values representing the
binary numbers of 00, 01, 10, and 11. This new technology is called multi-level cell (MLC), and has
become prevalent in all SSDs since around 2015.
According to research published earlier this year, the programming logic powering MLCs is
vulnerable to at least two types of attacks.
First Attack: Program Interference
The first of these attacks, which they named a "program interference," takes place when an attacker
manages to write data with a certain pattern to a target's SSD.

The exploit's data pattern causes the MLC's programming logic to cause 4.9 more errors than usual,
which comes with the side-effect of triggering interference in neighboring NAND flash memory cells.
The side-effects are that an attacker can corrupt local data, or even shorten an SSD's lifetime, if he
can cause repeated interference. This is because an SSD's lifetime is defined by the number of finite
read-write operations it can perform on its flash memory chips before they lose their ability to remain
charged between reboots.
This type of interference attack is similar to the Rowhammer attack on classic RAM memory chips,
where an attacker bombards a row of RAM memory cells in repeated read-write operations, causing
electrical interference that flips the bits of nearby cells.
While the attack is somewhat similar, it is not the same thing, and researchers have not gone on
records calling this a Rowhammer attack.
Second Attack: Read Disturb
The second vulnerability researchers discovered in the programming logic of NAND flash memory
chips is what they called a "read disturb."
In this attack scenario, an attacker's exploit code causes the SSD to perform a large number of read
operations in a very short time, which causes a phenomenon of "read disturb errors."
Researchers say these read disturb errors will "corrupt both pages already written to partially-
programmed wordlines and pages that have yet to be written," ruining the SSD's ability to store data
in a reliable manner in the future.