DoublePulsar: Leaked NSA Exploit Infects >50,000 Windows Computers
An NSA hacking tool leaked by Shadow Brokers, a mysterious person or group that has been releasing much of NSA’s weaponised software exploits, has begun infecting tens of thousands of computers with malware, according to private researchers.
As more scan results continue to be published, the severity of the infections is further revealed. DoublePulsar, as the NSA implant is codenamed, is currently believed to have infected way above 10,000 machines.
What is DoublePulsar?
Installed with the EternalBlue exploit, DoublePulsar is a malware that targets computers running Windows and is a backdoor through which other malware can be loaded onto infected computers.
The infected machines can be used to distribute malware, send spam, and launch attacks on other computers. The implant provides a stealthy and reliable way for infected machines to communicate with an attacker-controlled command-and-control server.
To remain stealthy, DoublePulsar doesn’t write any files to the computers it infects. Hence, it is non-persistent, meaning that when the infected machine reboots it will be cleared from memory. However, it is likely that other malware installed using it would persist through a reboot. Even if the system is rebooted before other malware is installed, the machine remains vulnerable to be re-exploited by another attacker.
Independent Scan Results
Independent researchers have found widely varying results in detecting infected systems. However, the results confirm that the infections are on the rise and not to be taken lightly.
Separate scans, one by Errata Security CEO Rob Graham and another by researchers from Below0day, detected roughly 41,000 and 30,000 infected machines, respectively. Over the weekend, Below0day released the results of another scan that detected 56,586 infected Windows boxes, an 85-percent increase to the 30,626 infections initially detected.
Rendition Infosec has also started some of its own scans to assess the situation. It was noted by some that its non-persistence may be a reason for over-inflated results, but Rendition is confident that:
After performing some of our own analysis (both with custom written and publicly available scripts) Rendition is confident that most of the numbers we’ve seen reported are not inflated and are not the result of problems with the scanning tools.
As of last night, Rendition found 156,511 machines infected with DoublePulsar. A total of 1,794,197 answered requests for SMB interrogation.
The results, however, fail to convince all. The amount of infections seems too high for an implant belonging to the NSA, a highly secretive agency that almost always prefers to abort a mission over risking it being detected.
Hence, critics speculate that a bug in a widely used detection script is generating false positives. Some speculate that copycat hackers have downloaded the DoublePulsar binary released by Shadow Brokers and are using it to infect unpatched Windows computers.
Microsoft’s Mysterious Patch
Several of the Windows exploits were patched by Microsoft just a month prior to them being released by Shadow Brokers. From the exploit list provided. using Win10 and Win Server 2016 is enough to protect yourself against these attacks.
The updates, indexed as MS17-010, CVE-2017-0146, and CVE-2017-0147 made no mention of who reported the vulnerabilities to Microsoft. It seemed odd, generating speculation that the reporters were probably tied to the NSA. Another plausible theory could be that the Shadow Brokers released the 0day binaries because Microsoft patched them already.
However, since the updates were fairly recent, chances are many users have not yet updated their systems and are still vulnerable to the attacks, as proved by the scan reports.
According to ArsTechnica, Microsoft has played down the number of infections, doubting the accuracy of the scanning results.
In a statement issued Tuesday, a Microsoft representative wrote:
Customers with up-to-date software are protected from this malware, which requires an already-compromised machine to run. We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. For more information on protecting computers against malware, please visit https://aka.ms/bm9atl.
DoublePulsar Detection Script
Countermeasures have been taken against the attacks. Security firm Coutercept had published a DoublePulsar detection script last week. The update on Tuesday, now allows people anywhere on the Internet to remotely uninstall the implant from any infected machine.
Researcher Kevin Beaumont spoke to Ars about the procedure for detecting DoublePulsar. It involves sending a series of SMB (server message block) queries to Internet-facing computers. By modifying two bytes of the query, the same person can remove the infection from a computer that tests positive.
While the script provides a solution, one can easily use the non-persistence of the malware to their advantage. A simple reboot is all it takes to remove it from the system.
The Countercept script, however, provides a lucrative solution for a mass extermination of infection. The action may be subject to legal actions if performed on systems that are not owned by an individual. However, it is definitely a go-to solution for admins managing a huge network of computers.