Open main menu

EternalBlue, sometimes stylized as ETERNALBLUE,[1] is an exploit developed by the U.S. National Security Agency (NSA) according to testimony by former NSA employees.[2] It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack on May 12, 2017.[1][3][4][5][6] The exploit was also used to help carry out the 2017 NotPetya cyberattack on June 27, 2017[7] and reported to be used as part of the Retefe banking trojan since at least September 5, 2017.[8]



EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144[9][10] in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.[11]

The NSA eventually warned Microsoft after learning about EternalBlue’s possible theft, allowing the company to prepare a software patch issued in March 2017,[12] after cancelling all security patches in February 2017. On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010,[13] which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016, as well as Windows Vista (which had recently ended support).[14] Many Windows users had not installed the patches when, two months later on May 12, 2017, the WannaCry ransomware attack used the EternalBlue vulnerability to spread itself.[15][16] The next day, Microsoft released emergency security patches for Windows 7 and Windows 8, and the unsupported Windows XP and Windows Server 2003.[17]

In February 2018, EternalBlue was ported to all Windows operating systems since Windows 2000 by RiskSense security researcher Sean Dillon. EternalChampion and EternalRomance, two other exploits originally developed by the NSA and leaked by The Shadow Brokers, were also ported at the same event. They were made available as open sourced Metasploit modules.[18]


According to Microsoft, it was the US's NSA that was responsible, by dint of its controversial strategy of "stockpiling of vulnerabilities", for, at the least, preventing Microsoft from timely public patching of this, and presumably other, hidden bugs.[19][20]


EternalRocks or MicroBotMassiveNet is a computer worm that infects Microsoft Windows. It uses seven exploits developed by the NSA.[21] Comparatively, the WannaCry ransomware program that infected 230,000 computers in May 2017 only uses two NSA exploits, making researchers believe EternalRocks to be significantly more dangerous.[22] The worm was discovered via honeypot.[23]

EternalBlue was among the several exploits used, in conjunction with the DoublePulsar backdoor implant tool.[24]


EternalRocks first installs Tor, a private network that conceals Internet activity, to access its hidden servers. After a brief 24 hour "incubation period",[21] the server then responds to the malware request by downloading and self-replicating on the "host" machine.

The malware even names itself WannaCry to avoid detection from security researchers. Unlike WannaCry, EternalRocks does not possess a kill switch and is not ransomware.[21]

See alsoEdit


  1. ^ a b Goodin, Dan (April 14, 2017). "NSA-leaking Shadow Brokers just dumped its most damaging release yet". Ars Technica. p. 1. Retrieved May 13, 2017.
  2. ^ Nakashima, Ellen; Timberg, Craig (2017-05-16). "NSA officials worried about the day its potent hacking tool would get loose. Then it did". Washington Post. ISSN 0190-8286. Retrieved 2017-12-19.
  3. ^ Fox-Brewster, Thomas (May 12, 2017). "An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak". Forbes. p. 1. Retrieved May 13, 2017.
  4. ^ Goodin, Dan (May 12, 2017). "An NSA-derived ransomware worm is shutting down computers worldwide". Ars Technica. p. 1. Retrieved May 13, 2017.
  5. ^ Ghosh, Agamoni (April 9, 2017). "'President Trump what the f**k are you doing' say Shadow Brokers and dump more NSA hacking tools". International Business Times UK. Retrieved April 10, 2017.
  6. ^ "'NSA malware' released by Shadow Brokers hacker group". BBC News. April 10, 2017. Retrieved April 10, 2017.
  7. ^ Perlroth, Nicole; Scott, Mark; Frenkel, Sheera (June 27, 2017). "Cyberattack Hits Ukraine Then Spreads Internationally". The New York Times. Arthur Ochs Sulzberger Jr. p. 1. Retrieved June 27, 2017.
  8. ^ "EternalBlue Exploit Used in Retefe Banking Trojan Campaign". Threatpost. Retrieved 2017-09-26.
  9. ^ "CVE-2017-0144". CVE - Common Vulnerabilities and Exposures. The MITRE Corporation. September 9, 2016. p. 1. Retrieved June 28, 2017.
  10. ^ "Microsoft Windows SMB Server CVE-2017-0144 Remote Code Execution Vulnerability". SecurityFocus. Symantec. March 14, 2017. p. 1. Retrieved June 28, 2017.
  11. ^ "Vulnerability CVE-2017-0144 in SMB exploited by WannaCryptor ransomware to spread over LAN". ESET North America. Archived from the original on May 16, 2017. Retrieved May 16, 2017.
  12. ^ "NSA officials worried about the day its potent hacking tool would get loose. Then it did". Retrieved 25 September 2017.
  13. ^ "Microsoft Security Bulletin MS17-010 – Critical". Retrieved May 13, 2017.
  14. ^ Warren, Tom (May 13, 2017). "Microsoft issues 'highly unusual' Windows XP patch to prevent massive ransomware attack". The Verge. Vox Media. Retrieved May 13, 2017.
  15. ^ Newman, Lily Hay (March 12, 2017). "The Ransomware Meltdown Experts Warned About Is Here". p. 1. Retrieved May 13, 2017.
  16. ^ Goodin, Dan (May 15, 2017). "Wanna Decryptor: The NSA-derived ransomware worm shutting down computers worldwide". Ars Technica UK. p. 1. Retrieved May 15, 2017.
  17. ^ Warren, Tom (April 15, 2017). "Microsoft has already patched the NSA's leaked Windows hacks". The Verge. Vox Media. p. 1. Retrieved May 30, 2017.
  18. ^ "NSA Exploits Ported to Work on All Windows Versions Released Since Windows 2000". Retrieved 2018-02-05.
  19. ^ "The need for urgent collective action to keep people safe online: Lessons from last week's cyberattack - Microsoft on the Issues". Microsoft on the Issues. 2017-05-14. Retrieved 2017-06-28.
  20. ^ Titcomb, James (May 15, 2017). "Microsoft slams US government over global cyber attack". The Telegraph. p. 1. Retrieved June 28, 2017.
  21. ^ a b c "New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two)".
  22. ^ "Newly identified ransomware 'EternalRocks' is more dangerous than 'WannaCry' - Tech2". Tech2. 2017-05-22. Retrieved 2017-05-25.
  23. ^ "Miroslav Stampar on Twitter". Twitter. Retrieved 2017-05-30.
  24. ^ "stamparm/EternalRocks". GitHub. Retrieved 2017-05-25.

External linksEdit