EternalRocks, dubbed the DoomsDay Worm has been identified by Miroslav Stampar (creator of sqlmap). Unlike the much publicised WannaCry, EternalRocks does not contain a kill switch, and incorporates 7 of the exploits developed by the NSA, whereas WannaCry only utilised 2.
EternalRocks attempts to masquerade as WannaCry, however it does not encrypt your files – it lies dormant and undetected for 24 hours before downloading a suite of tools to perform further exploitation on your hosts network, the delay is an attempt to be more stealthy and slow malware analysis. The purpose of EternalRocks seems to be to create a new powerful botnet.
EternalRocks uses exploits freely released by the ShadowBrokers and created by the NSA.
The ShadowBrokers have announced that starting next month, they will be auctioning 0day exploits for a host of browsers, smartphones, routers and windows OSs including the latest Windows 10 OS.
Recommendation – there is little an organisation can do to prevent exploitation by a 0-day vulnerability, however there are steps that can be taken to reduce the window for opportunity and impact of any attack;
- Prompt and regular patching – robust patching will reduce the window of opportunity for an attacker to exploit a system;
- Robust administrative processes – will minimise the chance of human error;
- Regular testing for vulnerabilities – will identify any gaps in security;
- Effective logging and monitoring – will help spot an incident early, assist in investigation, help reduce impact and help to tune/make defences more effective.