Has your Windows machine been implanted with NSA’s DoublePulsar backdoor? If you haven’t implemented the security updates released by Microsoft in March, chances are good that it has.
What is DoublePulsar?
DoublePulsar is a backdoor implant that enables the injection and running of DLLs – potentially malicious ones – on Windows computers.
It was recently leaked by the Shadow Brokers, and hackers have been using it – in conjunction with the EternalBlue exploit – to compromise computers around the world.
EternalBlue is capable of penetrating machines running unpatched Windows XP through 2008 R2, by exploiting vulnerabilities in Microsoft Windows SMB Server.
As was expected, hackers have begun leveraging the leaked exploits and backdoors to gain control of vulnerable computers.
Security researchers are trying to discover just how many there are, through the use of a DoublePulsar detection script created by Luke Jennings of Countercept.
The script checks IPs for presence of the implant by sending a specially crafted ping to port 445, to which the backdoor responds with a distinctive reply.
The number of compromised machines keeps changing with each new probe: 164,715; 30,626; 56,586; 33,468.
The wildly divergent numbers could be down to the fact that DoublePulsar does not persist after a reboot. It was posited there could be an error in the script that makes it return a considerable number of false positives, but security researcher and consultant Dan Tentler says no: the numbers are actually that high. And they are expected to get higher.
What to do?
If you own a Windows machine, and you haven’t patched in the last few months, get to it now.
Windows XP and Server 2003 users, unfortunately, can’t do it because Microsoft didn’t release patches for these unsupported versions of the OS. But they can put the machine behind a firewall to block unauthorised access to port 445.
Users would also do well to remember that while rebooting the machine will get rid of DoublePulsar, there is no guarantee that the attackers haven’t already used it to download and install other, more persistent malware on it.