apinan - Fotolia

EternalRocks author throws in the towel after media attention

Security researcher who discovered worm that could have bigger impact than WannaCry says the author seems to have given up

The researcher who discovered a worm that combines seven US National Security Agency (NSA) exploits and attack tools, including EternalBlue and DoublePulsar used by WannaCry, says the author appears to have called it quits.

The EternalRocks worm attracts intense media attention because of fears that, once weaponised, it could have a much greater impact than the WannaCry ransomware attacks.

Some security commentators have said EternalRocks appears to be designed to establish a launchpad for future attacks using the NSA exploits.

The worm, also known as MicroBotMassiveNet, caused a stir in the wake of WannaCry because it uses seven of the exploits and attack tools developed by the NSA and leaked by the Shadow Brokers hacking group, including the two used by WannaCry.

EternalRocks was discovered and named by Miroslav Stampar, a security researcher and member of the Croatian government’s computer emergency response team (Cert), who captured a sample of the worm in a Windows 7 honeypot he runs.

According to his latest GitHub post, the command and control page for EternalRocks now enables registration for a forum that contains two messages.

The first message reads: “Its not ransomware, its not dangerous, it just firewalls the smb port and moves on. I wanted to play some games with them, considering I had visitors, but the news has to much about weaponized doomsday worm eternal rocks payload. much thought to be had... ps: nsa exploits were fun, thanks shadowbrokers!”

Read more about WannaCry

The second message reads: “btw, all I did, was use the NSA tools for what they were built, I was figuring out how they work, and next thing I knew I had access, so what to do then, I was ehh, I will just firewall the port, thank you for playing, have a nice a day.”

Stampar also reports that the code of EternalRocks has been updated so that it no longer downloads the ShadowBrokers exploit pack, but a dummy executable file instead.

“Well, it seems that I captured author’s worm in testing phase. It had great potential, though,” Stamper told Bleeping Computer. “Anyway, I suppose that he got scared because of all this fuzz and just dropped everything before being blamed for even something he didn’t do.”

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close