Detection/Prevention/Clean EternalRocks worm
Recently, security researchers have discovered a new malware. The malware, like WannaCry extortion software, spreads itself by exploiting the vulnerabilities in the Windows SMB file sharing protocol, but unlike the latter, it uses a variety of recent hacking tools from the US National Security Agency (NSA) And Wannacry uses only two!
EternalRocks worm
On May 17, 2017, the Croatian security expert (Miroslav Stampar) discovered a worm based on WannaCry, which was also spread through vulnerabilities in the NSA arsenal. He named the virus EternalRocks and posted it to Twitter, as follows Figure:
According to foreign media “Fortune” magazine May 21, 2017 reported that EternalRocks affect a large number of patches are not installed Windows7 host, spread fast, has affected the 240,000 hosts. As shown below:
Virus composition and process
Eternalrocks consists of seven attack loads, including four Windows vulnerability exploits, a backdoor and two vulnerability scans.
| Features | Module name | Vulnerability number |
| Exploit procedures | EternalblueEternalchampion
Eternalromance Eternalsynergy |
Microsoft Windows SMB Remote Code Execution Vulnerability (MS17-010)CVE-2017-0143
CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 |
| Backdoor | Doublepulsar | |
| Scanners | Architouch, Smbtouch |
The above mentioned four vulnerabilities are the use of the Windows system SMB protocol vulnerabilities, involving Windows XP, Vista, 7, Windows Server 2003, 2008, 2008 R2 system, Microsoft has released the official security patch MS17-070.
The virus workflow is as follows:
- Use SMB reconnaissance tools smbtouch and architouch to scan open SMB ports.
- If the SMB port is found, use the four vulnerabilities exploit (eternalblue, eternalchampion, eternalromance, eternalsynergy) through the network to infect the victim host.
- After infecting eternalrocks, you will download the Tor browser (a browser that can access the web, which can be prevented from being accessed using regular browsers) and download .NET components.
- Tor will take the initiative to connect to a C & C server in a dark network, connect the server 24 hours later, will respond to the C & C server and download the 7 SMB vulnerability attack load, in this way, you can avoid the sandbox technology detection.
- After the infection is complete, the EternalRocks worm will continue scanning the Internet’s open SMB port, propagating and infecting other hosts.
Virus characteristics
- Take advantage of multiple vulnerabilities
EternalRocks takes advantage of the four attack programs in the NSA arsenal, much more than WannaCry uses.
- Only infected, no damage
EternalRocks does not encrypt WaxCry’s files on infected hosts and extort bitmaps, just through the network.
- The propagation switch is not set
EternalRocks does not set up domain name switches like WannaCry to control virus propagation.
- Install the back door
EternalRocks will install the Doublepulsar backdoor on the infected host, which is then used by hackers to remotely control infected hosts.
- Delay download attack load
EternalRocks infected host, the delay will be delayed 24 hours to download the attack load, the purpose is to delay the safety of the researchers response time.
Detection
- local inspection
Virus infected host, will create C:\Program Files\Microsoft Updates\ directory, generate multiple virus files, as shown below:
Go to the Start menu – Control Panel – Administrative Tools – Scheduled Tasks, expand the Task Scheduler Library – Microsoft-Windows, and the virus creates two scheduled tasks, ServiceHost and TaskHost, as shown in the following figure:
Found on the host of the above characteristics, you can determine the infection has EternalRocks virus.
Prevention
- Broken network
Detection of the virus found in the detection phase of the host should immediately cut off the network, to avoid further spread of the virus in the network.
- Block the port
For hosts that do not have the MS17-010 patch and the presence of the Doublepulsar backdoor, the Windows SMB service TCP 445 port should be blocked immediately.
Repair
Clear the virus
- Go to the Start menu – Control Panel – Administrative Tools – Scheduled Tasks, expand the Task Scheduler Library – Microsoft-Windows, and delete the scheduled tasks ServiceHost and TaskHost.
- Stop the following process.
C: \Program Files\Microsoft Updates\svchost.exe
C: \Program Files\Microsoft Updates\taskhost.exe
C: \Program Files\Microsoft Updates\torunzip.exe
- Delete the C:\Program Files\Microsoft Updates\ directory and all the files in it.
Install patch
Download and install Microsoft’s official patch:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
