apinan - Fotolia
The researcher who discovered a worm that combines seven US National Security Agency (NSA) exploits and attack tools, including EternalBlue and DoublePulsar used by WannaCry, says the author appears to have called it quits.
The EternalRocks worm attracts intense media attention because of fears that, once weaponised, it could have a much greater impact than the WannaCry ransomware attacks.
Some security commentators have said EternalRocks appears to be designed to establish a launchpad for future attacks using the NSA exploits.
The worm, also known as MicroBotMassiveNet, caused a stir in the wake of WannaCry because it uses seven of the exploits and attack tools developed by the NSA and leaked by the Shadow Brokers hacking group, including the two used by WannaCry.
EternalRocks was discovered and named by Miroslav Stampar, a security researcher and member of the Croatian government’s computer emergency response team (Cert), who captured a sample of the worm in a Windows 7 honeypot he runs.
According to his latest GitHub post, the command and control page for EternalRocks now enables registration for a forum that contains two messages.
The first message reads: “Its not ransomware, its not dangerous, it just firewalls the smb port and moves on. I wanted to play some games with them, considering I had visitors, but the news has to much about weaponized doomsday worm eternal rocks payload. much thought to be had... ps: nsa exploits were fun, thanks shadowbrokers!”
Read more about WannaCry
- Computers running Windows 7 accounted for the biggest proportion of machines infected with the WannaCry ransomware, while NHS suppliers are blamed for hampering patching by NHS trusts.
- Security advisers are urging organisations to patch their Windows systems to avert a possible second wave of an unprecedented, indiscriminate ransomware attack.
- A failure by many organisations to take cyber security seriously has long been blamed on the lack of a single significant event to shake things up.
- WannaCry reveals some important facts about our dependence on the internet and IT.
The second message reads: “btw, all I did, was use the NSA tools for what they were built, I was figuring out how they work, and next thing I knew I had access, so what to do then, I was ehh, I will just firewall the port, thank you for playing, have a nice a day.”
Stampar also reports that the code of EternalRocks has been updated so that it no longer downloads the ShadowBrokers exploit pack, but a dummy executable file instead.
“Well, it seems that I captured author’s worm in testing phase. It had great potential, though,” Stamper told Bleeping Computer. “Anyway, I suppose that he got scared because of all this fuzz and just dropped everything before being blamed for even something he didn’t do.”