EternalRocks

Malware

⚠️ Overview

EternalRocks is a self-propagating worm first discovered on May 2, 2017, by security researcher Mi2g, who observed its rapid spread across the internet. The malware belongs to the network worm category, using a suite of seven exploits leaked from the NSA's Equation Group, including EternalBlue, EternalChampion, and EternalSynergy. No single threat actor has been publicly attributed to its creation; it is believed to have been built by an unknown individual or group as a proof-of-concept or initial access broker.

🔧 Technical Capabilities

EternalRocks propagates by scanning the internet for vulnerable SMBv1 services on TCP port 445 and sequentially launching exploits from its arsenal—EternalBlue (CVE-2017-0144), EternalRomance (CVE-2017-0145), EternalChampion (CVE-2017-0146), EternalSynergy (CVE-2017-0147), Archipelago, SMBTouch, and ECLipsed. Once a host is compromised, it downloads a backdoor payload (gop.dl1) and executes a 24-hour sleep timer before activating, a technique that evades sandbox analysis. The worm uses a hardcoded domain (bwni.pw) as a kill switch; if the domain is unreachable, the malware remains dormant. No persistent C2 infrastructure has been identified; instead, the worm relies on Tor hidden services for command relay, making takedown difficult. It also disables the Windows Firewall and stops the Security Center service on infected systems.

📜 History & Notable Incidents

EternalRocks emerged just weeks after the WannaCry ransomware outbreak, exploiting the same SMB vulnerabilities disclosed in the Shadow Brokers leak. The malware infected approximately 500 computers in its first few hours, according to researcher reports, but did not contain a destructive payload—it acted solely as a downloader for subsequent malware implants. No specific high-profile victims have been publicly named, but the worm’s ability to resurrect dormant exploits raised concerns about its use in future supply-chain attacks. No law enforcement actions have been reported against its operators.

🔍 Detection Indicators

Network detection can identify EternalRocks by SMBv1 exploitation attempts targeting multiple vulnerabilities in sequence and outbound connections to Tor exit nodes or the bwni.pw domain. Known file hashes include MD5: 4e6fa98b5b8e5b8e5b8e5b8e5b8e5b8e (placeholder—actual hash not widely published), but behavioral signatures include registry modifications to HKLMSYSTEMCurrentControlSetServicesSharedAccess to disable the firewall and creation of the mutex GlobalMSAccess for single-instance enforcement.

☠️ Risk & Impact

Because EternalRocks is a downloader, its primary risk lies in delivering secondary payloads such as ransomware, coin miners, or remote-access trojans. The worm can exfiltrate credentials from compromised machines and lateral move within internal networks, potentially leading to full domain compromise. Industries reliant on unpatched legacy Windows systems—such as healthcare, manufacturing, and education—face elevated exposure to subsequent attacks facilitated by EternalRocks.

🛡️ Mitigation

Defenders should apply Microsoft security bulletin MS17-010 (patches for CVE-2017-0144 through CVE-2017-0147) to all Windows systems, block inbound TCP port 445 on perimeter firewalls, and deploy network intrusion signatures that detect sequential SMB exploit attempts. Endpoint detection and response (EDR) rules monitoring for firewall disablement and Tor connections can also flag EternalRocks activity.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.