News

More Windows PCs infected with NSA backdoor DoublePulsar

Although the exact number varies among security researchers, the DoublePulsar infection rate is climbing

The number of Windows computers infected with NSA backdoor malware continues to rise since Shadow Brokers leaked the hacking tools on April 14.

DoublePulsar infection rate climbing

Two different sets of researchers scanning for the DoublePulsar implant saw a significant bump in the number of infected Windows PCs over the weekend.

For example, Dan Tentler, CEO of the Phobos Group, suggested that Monday would not be a good day for many people, as his newest scan showed about 25 percent of all vulnerable and publicly exposed SMB machines are infected.

On Sunday, Tentler had scanned 1.17 million hosts and found 33,468 to be infected.

The infection rate had been holding steady at 2.85 percent before it climbed to 2.91 percent and then 2.95 percent. Tentler explained:

It is important to note that DoublePulsar is like a stealthy malware downloader; infected devices are open for more exploitation, as it can be used to download other malware.

“The presence of DoublePulsar doesn’t mean they’re infected by the NSA. It means there is a loading dock ready and waiting for whatever malware anyone wants to give it,” Tentler told CyberScoop. “The chances are none that all these hosts [were hacked by] the NSA. It is effectively trivial to go compromise all these hosts with the flick of a wrist.”

Elsewhere, using the detection script developed by Luke Jennings of Countercept, security firm Below0Day tweeted that it had detected 30,626 DoublePulsar implants on April 18. Of those, 11,078 were in the U.S. A few days later, Below0Day had detected an additional 25,960 implants.

On Sunday, Below0Day wrote:

On the afternoon of April 21st, we initiated another masscan to get a new list of hosts with open 445 port. This time around we identified 5,190,506 hosts with port 445 open. We then ran Countercept’s detect script and identified 56,586 hosts with DOUBLEPULSAR SMB implant.

The U.S. was still the most infected country, but 14,091 DoublePulsar implants were detected this time. That's up 3,013 from a few short days ago.

Microsoft’s viewpoint of DoublePulsar infection numbers

It was widely reported on Friday that thousands of Windows machines were infected with DoublePulsar. As it does now, the exact number of affected Windows boxes varied, depending upon which security researcher's numbers you trusted.

Microsoft, which issued patches to mitigate most of the exploits, expressed doubts about the accuracy of the number of real-world infections to Ars Technica on Friday. Ars added that “people should know that there's growing consensus that from 30,000 to 107,000 Windows machines may be infected by DoublePulsar. Once hijacked, those computers may be open to other attacks.”

Shodan shows more than 100,000 devices that could be infected

John Matherly, the creator of Shodan, added detection for DoublePulsar last week.

Matherly told CyberScoop that Shodan had indexed over 2 million IPs running a public SMB service on port 445 that are vulnerable to DoublePulsar. Last Friday, Matherly said more than 100,000 devices could be impacted, with 45,000 confirmed to be infected thus far.

DoublePulsar infections up by nearly 77,000 since Friday

Tiago Henriques, CEO of BinaryEdge, also said the number of devices infected with DoublePulsar is still climbing. The total number of infections on Monday morning, according to BinaryEdge, has increased 76,697 since the Friday. The company showed the total number of infections per day:

  • 106,410 - 21/04/2017
  • 116,074 - 22/04/2017
  • 164,715 - 23/04/2017
  • 183,107 - 24/04/2017
Related:

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Copyright © 2017 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations