Researchers have detected a new worm called EternalRocks that is spreading, but unlike WannaCry ransomware, this one is using seven NSA tools instead of two. The worm's existence first came to light on Wednesday May 17, after it infected an international security vendor test system. Gibraltar is engaging our security vendors and OS manufactures to make certain patches have been road mapped and to determine timeline of release. Once a hotfix or definition is released we will patch all systems and report to our clients.
EternalRocks currently does not deliver any malicious content. According to industry leaders, it's more complex and far sneakier than WannaCry. Once it infects a victim, the worm uses a two-stage installation process, with a delayed second stage. During the first stage, EternalRocks gains a foothold on an infected host, downloads its client, and beacons its server, located on the Dark Web.
Only after a predefined period — currently 24 hours — does the server respond. The role of this long delay is to bypass security testing environments and security researcher’s firms, as very few will wait a full day for a response from the server.
Gibraltar is actively working with our security vendors to identify who may be affected, and any newly developed patches or definitions that need to be applied.