EternalRocks - description
- Last Updated: May 1, 2026
- 1 minute read
- Flowmon Products
- Flowmon Anomaly Detection System
- Documentation
Source: Understanding EternalRocks: A comprehensive analysis of the worm that leverages NSA exploits
EternalRocks spreads by targeting SMB ports exposed to the internet.
When the malware finds open ports, it uses one of four SMB exploit tools that target different vulnerabilities in the Microsoft SMB file-sharing protocol to infiltrate the network.
After infiltrating a system, EternalRocks downloads the Tor browser. This browser allows anonymous web browsing and access to Dark Web sites that standard browsers like Chrome, Internet Explorer, or Firefox cannot reach.
The malware uses Tor to connect to a command and control (C&C) server on the Dark Web.
The C&C server responds after a 24-hour delay and sends an archive containing seven SMB exploits. This delay helps the malware avoid detection by security sandboxes.
The worm then scans the internet for additional open SMB ports to spread the infection to other organizations.
Note that this detection may generate false positives because it identifies connections to torproject.org, which legitimate applications might also use.
