back to article 7 NSA hack tool wielding follow-up worm oozes onto scene: Hello, no need for any phish!

Miscreants have created a strain of malware that targets the same vulnerability as the infamous WannaCrypt worm. EternalRocks worm uses flaws in the SMB Server Message Block (SMB) shares networking protocol to infect unpatched Windows systems. Unlike WannaCrypt, EternalRocks doesn't bundle a destructive malware payload, at …

  1. Bronek Kozicki

    smart move

    Covert infections will eventually allow the author to switch larger number of victims to ransomware mode. I guess something like it was to be expected.

    1. CrazyOldCatMan Silver badge

      Re: smart move

      author to switch larger number of victims to ransomware mode

      Or to later bundle keyboard/screen scrapers to capture bank account login details.

  2. fedoraman

    1Up

    +1 for "That difficult second album" -- oh yes!

    Nothing to do with the Second System Effect, c.f Rodney Brooks, The Mythical Man Month

    1. Roger Greenwood

      Re: 1Up

      "The Mythical Man Month" was by Frederick P Brooks as all El Reg readers will surely know.

  3. Anonymous Coward
    Holmes

    Kind of like the Darwin awards

    Will the world really miss those un-patched systems with open SMB ports?

    I'd be shocked if they weren't all pwned before this time, and already part of a botnet or two or three.

    Maybe we are just seeing evolution on an internet scale.

    1. wolfetone Silver badge

      Re: Kind of like the Darwin awards

      "Will the world really miss those un-patched systems with open SMB ports?"

      It would depend on what that particular installation was in charge of. Like pay roll, server containing child pornography, or a nuclear reactor.

      Hard to say really.

      1. Anonymous Coward
        Anonymous Coward

        Re: Kind of like the Darwin awards

        @wolfetone - I guess if un-patched systems with open SMB ports are running our nuclear reactors, then I'd better be stocking up on survival gear and freeze-dried food.

    2. Barely registers

      Re: Kind of like the Darwin awards

      More like culling of the weak and infirm....

      XP: "I'm not dead!"

      Customer: "What?"

      Microsoft: Nothing -- here's your next forced update.

      XP: I'm not dead!

      Customer: Here -- he says he's not dead!

      Microsoft: Yes, he is.

      XP: I'm not!

      Customer: He isn't.

      Microsoft: Well, he will be soon, he's very ill.

      XP: I'm getting better!

      Microsoft: No, you're not -- you'll be stone dead in a moment....

      // you know the rest.

      1. Rob D.

        Re: Kind of like the Darwin awards

        Only the award looks like it should go to Windows 7, not XP. There is emerging analysis that a tiny fraction of affected machines were XP and the primary platform of preference for WannaCry was Windows 7. For instance, https://arstechnica.co.uk/security/2017/05/windows-7-not-xp-was-the-reason-last-weeks-wcry-worm-spread-so-widely/

        I suspect that probably says more about the relative number of unprotected Windows 7 machines offering their SMB ports for pwnage, although it does leave a little potential kudos on the table for those who may have made a decision to continue using XP but taken sensible precautions.

        1. Bronek Kozicki

          Re: Kind of like the Darwin awards

          After August 2015 the only way to continue using a Windows 7 system was to disable automatic updates. Those who failed to do this were (almost) sure to wake up using Windows 10 at some moment before August 2016 (or later). In the light of this, it is not surprising that most infections are on Windows 7 systems. There probably are not many Windows 7 systems left in the world which are being patched on the regular basis.

          1. stanimir

            Re: Kind of like the Darwin awards

            Nah, try the unofficial updater built on GNU tools: wsusoffline.net

            1. CrazyOldCatMan Silver badge

              Re: Kind of like the Darwin awards

              Nah, try the unofficial updater built on GNU tools: wsusoffline.net

              Yeah - because it's such a good idea to rely on an unknown[1] 3rd-party for your system updates.

              [1] Regardless whether it's built with open-source or not. That won't stop them injecting malicious updates if they chose to.

  4. John Smith 19 Gold badge
    Unhappy

    So unpatched Windows 7 or only unpatched Windows 7 running XP?

    In theory this round should be tougher as most of the infectable should have been hardened.

    Or maybe not

  5. alain williams Silver badge

    It ought to have a pay-load

    A dialogue box that pops up every 5 minutes that says:

    You stupid pillock - you still have not applied the update from Microsoft. Do you want to be owned by something really malicious ?

    1. Zog_but_not_the_first
      Boffin

      Re: It ought to have a pay-load

      Or tell me which is the security update I need to keep my system safe and which doesn't contain MS spyware.

  6. ITS Retired
    Facepalm

    What's worse?

    WannaCrypt/EternalRocks style malware? Or taking a chance on Microsoft not killing all their operating systems, except Windows 10, with their beta security updates?

    I do not trust MS to do anything not in their own interests. They do think they own our computers and can tell us how they want us to be using them.

    1. Infernoz Bronze badge
      WTF?

      Re: What's worse?

      Not at all surprised, more deserved suffering for XP-tards, no sympathy or pity due!

      I'd say that Microsoft is the lesser of the two evils and it's often easier to mitigate or fix their issues, basically these XP-tards should have upgraded to the far more secure Windows 7, years ago. Offensive compromise and modification can be far worse hassle to resolve that a failed update.

      What should be in place for all OS's is network port filtering blocks to stop risky ports like SMB being accessible on insecure networks like the Internet or public WiFi, using NAT in a router to block all unmapped ports, and if possible IP-range white-listing of ports by a firewall in XP to further limit exposure e.g. using Ghostwall.

  7. Anonymous Coward
    Anonymous Coward

    .. and again ..

    .. it's a Windows only problem.

    Just wanted to point that out to keep all the Redmond paid voters busy. And I will keep pointing that out every. f*cking. time. it IS a Redmond only problem.

    Because they usually are.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like