Over 36,000 Computers Infected with NSA's DoublePulsar Malware

[CrAKeN]

 

Geographical spread of computers infected with DOUBLEPULSAR

 

DOUBLEPULSAR, one of the NSA hacking tools leaked last Friday by the Shadow Brokers, has been used in the wild by ordinary hackers, who infected over 36,000 computers across the world.

 

The Shadow Brokers leak from last Friday contained a trove of Windows hacking tools. Among these, there was FUZZBUNCH, a platform for delivering exploits against a selected target, similar to the Metasploit framework used by security researchers and pen-testers around the world.

 

The Shadow Brokers also leaked over 20 exploit packages that could be used together with FUZZBUNCH. These exploits attack a Windows computer through vulnerable services and open a connection that the NSA/hackers could exploit to plant malware on targeted computers.

 

A large number of the leaked NSA Windows exploits are designed to take advantage of vulnerabilities in the SMB (Server Message Block) protocol, which provides file sharing capabilities between Windows computers.

 

Meet DOUBLEPULSAR, the NSA's homegrown malware downloader

Included in the Shadow Brokers dump from last week were also "implants," the technical term used for malware planted on targeted computers.

 

One of those implants is DOUBLEPULSAR, which is "RING-0 multi-version kernel mode payload," according to security expert Matthew Hickey, or in simpler terms a "malware downloader" used as an intermediary for downloading more potent malware executables on infected hosts.

 

Earlier this week, trying to assess the number of users vulnerable to the malware leaked last Friday, cyber-security firm Below0Day has performed an Internet-wide scan for Windows computers with open SMB ports (port 445).

 

Their scan returned a number of 5,561,708 Windows computers with port 445 exposed to external connections.

 

 

Scan results for computers with exposed SMB ports

 

If the owners of these 5.5 million computers haven't installed patches Microsoft made available for the SMB flaws exploited by the NSA tools, they are vulnerable to exploits such as ETERNALBLUE, ETERNALCHAMPION, ETERNALSYNERGY, ETERNALROMANCE, EMERALDTHREAD, or EDUCATEDSCHOLAR.

 

Over 36K computers already infected

The next step for Below0Day researchers was to take the 5.5 million IP addresses they previously identified and scan them with a tool released on Monday, capable of identifying computers infected with DOUBLEPULSAR based on SMB connection responses.

 

 

List of PCs infected with DOUBLEPULSAR

 

When the results came in, researchers discovered 30,625 computers that provided an SMB reply consistent with a DOUBLEPULSAR infection.

 

According to threat intelligence company SenseCy, this shouldn't be a surprise, as hackers started discussing how to deploy the leaked NSA Windows hacking tools as soon as they appeared.

 

What was a surprise was the large number of computers already infected with the NSA's former malware.

 

Because it takes a malware developer roughly a few hours to download the Shadow Brokers dump, scan the Internet, and run FUZZBUNCH to deliver some exploits, this is only the beginning and experts expect more unpatched computers to fall victims to DOUBLEPULSAR.

 

Below is a map with the countries most affected by DOUBLEPULSAR infections.

 

 

Countries most affected by DOUBLEPULSAR infections

 

Source

[Holmes]

United States mainly to sniff out any possible terrorists that reside hidden in the united states.

[Karlston]

If you haven't installed the March Windows patch MS17-010, you need to hop to it

Credit: Thinkstock

 

Ten days ago, the group known as Shadow Brokers released a pile of exploits, apparently developed by the NSA. After an initial period of dire predictions that the Windows sky was falling, Microsoft reassured us that most of the exploits were covered by the MS17-010 patch released back in March.

 

Yesterday, a report released by malware sleuths Below0day says that more than 5 million machines are exposed, of which 56,000 are infected by the DoublePulsar malware, although Dan Goodin at Ars Technica reports that Microsoft is skeptical of the numbers.

 

DoublePulsar gets in through a Shadow Brokers-leaked program called EternalBlue, and it works much like a backdoor, acting as a stepping stone to further exploits. At this point you should be concerned about all of the Shadow Brokers trove, but DoublePulsar has the potential to infect a lot of machines in very short order. Right now, it's infecting Windows machines that don't have MS17-010 installed, but are open to internet traffic through port 445.

 

It's important to realize that you don't have to do a thing in order to get infected. If you're running Windows and haven't installed MS17-010 and your machine can be accessed through port 445, you're a sitting duck.

 

Chances are good that your local machine isn't susceptible to getting infected directly from the internet, but it may be open to infections from other machines on your local network. If you want to see whether your tail is hanging out in the cloud, run Steve Gibson's venerable ShieldsUP! Scanner.  Type 445 in the Input box, then click User Specified Custom Port Probe. If the scan comes up Stealth or Closed, you're not vulnerable to being infected directly from the internet.

 

That doesn't give you a clean bill of health. Even if your machine is isolated from direct infection from the internet, there's also a possibility that a subverted machine inside your network could pass its infection on to you. (Details from MrBrian on the AskWoody Lounge).

 

Whether port 445 is open or not, you should take steps right now to get MS17-010 installed on your Windows machines. The folks at @zerosum0x0 say:

This is the most important patch for Windows in almost a decade, as it fixes several remote vulnerabilities for which there are now public exploits (EternalBlue, EternalRomance, and EternalSynergy). These are highly complex exploits.... [The Shadow Brokers leaked] framework essentially makes the [infection] process as easy as point and shoot.

Not sure if you're caught up? Here's how to check.

 

For Win10: In the Cortana search box, type winver.

• If you have version 1703, you're fine.
• If you have version 1607, you need to be on Build 14393.953 or later. (Note that the documentation in the KB article is wrong.)
• If you have version 1511, you need to be on Build 105867.839 or later.
• If you have Build 10240 (commonly called version 1507, but Microsoft didn't figure out the naming until later), you need to be on Build 10240.17319 or later.

 

In all cases for Win10, if you aren't up to those build numbers, you need to install the latest cumulative update. Follow my instructions to get your build number up to snuff, but don't be tempted to install anything else at this point.

 

For Win7: Right-click Start > Control Panel > Windows Update > View installed updates. You should have one of these listed:

• KB 4012212 the March Security-Only Group B patch
• KB 4012215 the March Monthly Rollup Group A patch
• KB 4015549 the April Monthly Rollup, which includes the March Monthly Rollup patch for MS17-010

 

If you don't have any of those listed, at a very minimum, you should download and install KB 4012212. Don't worry about Group A or Group B at this point. Installing KB 4012212 will protect you without committing your system to either Group A or Group B. There's a full description at PKCano's AKB 2000003, but if you only want the download links, look at this line:

Mar 2017 KB 4012212 – Download 32-bit or 64-bit

Similarly, for Win 8.1, look for these installed updates:

• KB 4012213 the March Security-Only Group B patch
• KB 4012216 the March Monthly Rollup Group A patch
• KB 4015550 the April Monthly Rollup, which incorporate the March Monthly Rollup MS17-010 fixes

 

If you don't have any of those, look at PKCano's list:

Mar 2017 KB 4012213 – Download 32-bit or 64-bit

That's what you need to do right now, to protect yourself from the NSA's swirling storm. Even if you don't install Windows 7 or 8.1 patches any more or you're having problems getting Windows 10 updated, you need to get MS17-010 on your system.

 

Now.

 

Discussion continues on the AskWoody Lounge.

 

Source: More Shadow Brokers fallout: DoublePulsar zero-day infects scores of Windows PCs (InfoWorld - Woody Leonhard)

[steven36]

LOL I thought they said they patched all the exploits years ago?  This really puts a wrench in peoples plans who stop doing Windows updates because of GWX .. If i use a PC online i always make sure too keep them updated  no mater what OS or platform  I'm using . I'm very skeptical about Microsoft plains for Windows right now , so I'm getting very heavy back into Linux. But I still keep my windows updated if i use it.

[Batu69]

Topic merged.

[sam3971]

Closed here. lol

[Togijak]

I hate it that you only get the MS17-010 patch if you have update enabled [2]This update is only available via Windows Update. 

[steven36]

4 hours ago, Togijak said:

I hate it that you only get the MS17-010 patch if you have update enabled [2]This update is only available via Windows Update. 

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

How do yo get that ?  you can download MS17-010 patch from here  via Microsoft Update Catalog  from link above all maintained windows . For windows 7 or 8.1  you can download it  as a Security Only update or  in a culminate update  (Monthly Rollup) Unless you have new hardware and are patching windows 7 or 8.1 too still get updates  Windows updates  is working real fast for me on windows 7 now so  no need too use installers if on old hardware.

 

Too download  from Microsoft Update Catalog any Chrome browser works  fine for me so I don't need IE and install a active x plugin  I always get errors in Firefox  though.  On this computer  on my windows drive I have Windows 10 creators  update it already had the update built in from Microsoft so  I'm immune  on the other PCs in my network i have patched it   .