Malware roundup: WannaCry, DoublePulsar, and EternalRocks
The world of software security vulnerabilities provides endless news topics to cover and this past week is no different than any other. In today’s blog, we’ll discuss two pieces of malware that have taken advantage of NSA tools that were leaked months back.
WannaCry has had countless blogs written about it. The exploit uses two of the leaked NSA tools listed in the Shadow Brokers leaks that occurred last April. Of seven tools leaked, WannaCry only needed to utilize the EternalBlue and DoublePulsar tools. EternalBlue exploits Microsoft’s Server Message Block (SMB) protocol. SMBv1 in Windows accepts specially-crafted packets from attackers allowing them to execute code on the target system.
DoublePulsar is a backdoor that has infected over two hundred thousand machines running Windows in only a matter of weeks. DoublePulsar runs in kernel mode and grants attackers high-level control of the system. It can execute ping, kill, and exec; exec being used to load malware onto the target system.
EternalRocks is just the latest evolution of malware
If you wish to learn more about WannaCry, I encourage you to Google it. We’re going to move past WannaCry to a newer piece of malware – where WannaCry used two pieces of the Shadow Brokers toolkit, EternalRocks uses seven. Yes, you heard me: seven! WannaCry only exploited SMBv1. EternalRocks targets SMBv1 through 3, and the SMB reconnaissance tools SMBTouch and ArchTouch tools famous for hunting down open SMB ports on the internet. It also utilizes DoublePulsar. EternalRocks has even found ways to disguise itself as WannaCry to try and fool researchers. The difference, aside from the number of tools used, is that EternalRocks gains control of the affected system so that it can launch future attacks.
DoublePulsar is also used to spread the worm to other systems on the same LAN. The installation for EternalRocks starts with the execution of UpdateInstaller.exe and taskhost.exe. After 24 hours have passed, EternalRocks responds to a command-and-control server which then sends it the 7 SMB exploits we talked about. The process svchost.exe allows Tor to be downloaded and installed along with ubgdgno5ewkhmpy.onion. Once the exploits have been installed, EternalRocks scans the WAN for computers with open SMB ports.
Prevention and pondering why malware happens
We’re tending to come across as a broken record at times but, once again, our conclusions from this are:
1. Keep your systems up to date
2. Use passwords instead of the default logins or no logins at all.
But in this conclusion, I’d like to bring up a capitalist perspective.
What does it say about the quality of products and services being put out in our day in age that such gross exploits are not only available to our own government but were being abused without our knowing it? Does our government possess the advanced technology capable of finding these flaws in our code no matter how many hours we put into quality assurance
Or are these vulnerabilities the result of careless oversights from multiple departments that are simply trying to meet a deadline/quota, and in the end, an incomplete and insecure product is pushed out to market in order to appease shareholders? I ponder these questions constantly, yet it seems to be either an impossible or inconvenient task for entire teams that are part of corporations.
These hypotheticals will only continue so long as we live in the world that values profit over quality.