EternalRocks

The developer of the EternalRocks SMB worm appears to have shut down his operation, following the intense media coverage his malware has received in the past seven days.

For people unaware of what EternalRocks is, this is a computer worm that uses the SMB protocol and NSA hacking tools to spread to Windows computers running vulnerable SMB services.

The EternalRocks SMB worm came to light last week, discovered by Croatian security researcher Miroslav Stampar. The worm took inspiration from the SMB worm component used by the WannaCry ransomware, but it used seven NSA hacking tools, instead of two.

Unlike the WannaCry SMB worm, which delivered the WannaCry ransomware binary, this SMB worm never deployed any malware on infected hosts (based on currently available information).

Nevertheless, because EternalRocks was discovered shortly after the WannaCry ransomware outbreak, it received intense media coverage after Bleeping Computer's initial report.

Overhyped news about "doomsday worm" made the dev quit

This intense focus, from both news media and cyber-security firms, appears to have had an impact on the author of the EternalRocks worm, a person going by the nickname of "tmc."

Sometimes on Wednesday, May 24, Stampar noticed that the EternalRocks C&C server — a web panel hosted on the Dark Web — featured a new message on its frontpage.

EternalRocks C&C panel

Forum Inside! Registration is Open!
Why so scary, I only firewall SMB port for you.
It's not ransomware

All new forum accounts are manually approved by tmc, but if a user were to be allowed inside, he'd find the following two messages posted by the EternalRocks dev, messages explaining his initial benign intentions when developing the worm.

First tmc message

Its not ransomware, its not dangerous, it just firewalls
the smb port and moves on. I wanted to play some games with
them, considering I had visitors, but the news has to much
about weaponized doomsday worm eternal rocks payload. much
thought to be had... ps: nsa exploits were fun, thanks
shadowbrokers!

Second tmc message

btw, all I did, was use the NSA tools for what they were
built, I was figuring out how they work, and next thing I
knew I had access, so what to do then, I was ehh, I will
just firewall the port, thank you for playing, have a nice
a day.

EternalRocks now delivers dummy executable

Earlier today, Stampar confirmed a change in the SMB worm's mode of operation.

The first versions of the EternalRocks worm discovered last week works via a two-stage installation process. During the second stage of this process, which usually takes place after a waiting period of around 24 hours, EternalRocks would download a file named shadowbrokers.zip, containing the seven NSA hacking tools.

According to the Croatian researcher, the EternalRocks worm now downloads a dummy executable that features the following source code:

// nohost.exe.Program
private.static void Main(String[] args)
{
}

Without downloading the shadowbrokers.zip file, this means computers recently infected by EternalRocks won't be able to spread to other hosts.

Machines previously infected with EternalRocks will continue to scan for new victims, but as those devices are scanned and EternalRocks infections removed, the worm's network of infected devices will slowly die off. Of course, unless tmc decides to make a comeback. We can never be sure of what will happen.

For the time being, the EternalRocks author seems to have defanged his own worm.

"Well, it seems that I captured author's worm in testing phase. It had great potential, though," Stamper told Bleeping Computer today. "[A]s reconstructed from previous versions, there were potentially enough info on him for somebody from law enforcement to connect two and two."

"Anyway, I suppose that he got scared because of all this fuzz and just dropped everything before being blamed for even something he didn't do," the researcher added.

Article updated with quotes from Stampar.

Image credits: Miroslav Stampar & Bleeping Computer