Eternal Blues tool

Security researcher Elad Erez has created a tool named Eternal Blues that system administrators can use to test if computers on their network are vulnerable to exploitation via NSA's ETERNALBLUE exploit.

Erez released his tool on Wednesday, a day after the NotPetya ransomware caused damages to thousands of computers across the globe.

Just like WannaCry did in last month's outbreak, NotPetya also used ETERNALBLUE as a means to spread from one computer to the next.

In hacking and cyber-security circles, ETERNALBLUE is considered one of the most potent exploits ever seen. A testament to its efficiency and ability to create virulent threats stand the two ransomware outbreaks that took place just two months after its release.

Under the hood, ETERNALBLUE leverages a vulnerability (CVE-2017-0144) in the SMBv1 file sharing protocol. Windows computers — where SMBv1 comes enabled by default — mishandles specially crafted SMB packets and allows an attacker to execute arbitrary code on the user's computer.

Eternal Blues was created for simple folks

Technically, an attacker could hack Windows computers with one SMB packet. This is also how Erez's tool works.

Eternal Blues will ping computers in a network range and detect if they are vulnerable to those specially crafted packets, but without exploiting the flaw to run any code on the scanned computers.

When users launch Eternal Blues, the tool allows users to scan their local LAN, but Erez says the tool can be used to scan any network range on the Internet, not just local networks.

The researcher admits that his tool is nowhere near as advanced as NMap, Metasploit, or others, but he says he intentionally created a simpler tool because he wanted a one-click solution to detect computers vulnerable to ETERNALBLUE that less technical users can utilize, and not just infosec professionals.

The target audience for Eternal Blues is ordinary sysadmins who have seen WannaCry and NotPetya ransomware wreak havoc in other companies and want to see if their networks are vulnerable, in order to install the necessary updates.

Tool collects anonymized usage data

Just be aware that the tool also uses Google Analytics to collect anonymized usage data. Collected information includes the number of scanned computers and the number of vulnerable computers found per scan. Erez says the tool doesn't collect hostname information, IP addresses, or any other personal data.

Speaking to Bleeping Computer, Erez said he'll share some of these usage statistics in the future. "As for now, more than 350 scans were taken from 50 countries in less than 24 hours," the researcher wrote in an email.

Erez, who works as Director of Innovation at Imperva, created this tool as a personal project. Users can report bugs or download Eternal Blues via the researcher's personal blog.

Update July 12, 2017: As promised, Erez published a blog post with statistics gathered from Eternal Blues usage in the past two weeks.

Related Articles:

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

The Week in Ransomware - October 19th 2018 - GandCrab, Birbware, and More

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

Windows 10 Ransomware Protection Bypassed Using DLL Injection