More Windows PCs infected with NSA backdoor DoublePulsar

The number of Windows computers infected with NSA backdoor malware continues to rise since Shadow Brokers leaked the hacking tools on April 14.

DoublePulsar infection rate climbing

Two different sets of researchers scanning for the DoublePulsar implant saw a significant bump in the number of infected Windows PCs over the weekend.

For example, Dan Tentler, CEO of the Phobos Group, suggested that Monday would not be a good day for many people, as his newest scan showed about 25 percent of all vulnerable and publicly exposed SMB machines are infected.

Interesting! new scan suggests ~25% of all vulnerable smb machines publicy exposed are currently infected. expect more bloodbath. pic.twitter.com/2rR4Yyhxtc

— Dan Tentler (@Viss) April 24, 2017

On Sunday, Tentler had scanned 1.17 million hosts and found 33,468 to be infected.

current status: 1.17 million host scanned 33,468 found infected. pic.twitter.com/GEeOYKMgjP

— Dan Tentler (@Viss) April 23, 2017

The infection rate had been holding steady at 2.85 percent before it climbed to 2.91 percent and then 2.95 percent. Tentler explained:

@parrotgeek1 3% of all endpoints, not just windows. 3% of “every machine on the internet with 445 open” its not always smb, not always windows.

— Dan Tentler (@Viss) April 23, 2017

It is important to note that DoublePulsar is like a stealthy malware downloader; infected devices are open for more exploitation, as it can be used to download other malware.

“The presence of DoublePulsar doesn’t mean they’re infected by the NSA. It means there is a loading dock ready and waiting for whatever malware anyone wants to give it,” Tentler told CyberScoop. “The chances are none that all these hosts [were hacked by] the NSA. It is effectively trivial to go compromise all these hosts with the flick of a wrist.”

Elsewhere, using the detection script developed by Luke Jennings of Countercept, security firm Below0Day tweeted that it had detected 30,626 DoublePulsar implants on April 18. Of those, 11,078 were in the U.S. A few days later, Below0Day had detected an additional 25,960 implants.

Scan 4.22.17 with latest @Countercept detect script #DOUBLEPULSAR SMB implant Top25 countries 56,586 detected! #shadowbrokers #infosec pic.twitter.com/KNT2Uo35OV

— Below0Day (@belowzeroday) April 23, 2017

On Sunday, Below0Day wrote:

On the afternoon of April 21st, we initiated another masscan to get a new list of hosts with open 445 port. This time around we identified 5,190,506 hosts with port 445 open. We then ran Countercept’s detect script and identified 56,586 hosts with DOUBLEPULSAR SMB implant.

The U.S. was still the most infected country, but 14,091 DoublePulsar implants were detected this time. That’s up 3,013 from a few short days ago.

.@countercept Quick writeup of our research & short analysis. #DOUBLEPULSAR #shadowbrokers #infosec https://t.co/nc4IETfj1e pic.twitter.com/dYKrS9WlBx

— Below0Day (@belowzeroday) April 24, 2017

Microsoft’s viewpoint of DoublePulsar infection numbers

It was widely reported on Friday that thousands of Windows machines were infected with DoublePulsar. As it does now, the exact number of affected Windows boxes varied, depending upon which security researcher’s numbers you trusted.

Microsoft, which issued patches to mitigate most of the exploits, expressed doubts about the accuracy of the number of real-world infections to Ars Technica on Friday. Ars added that “people should know that there’s growing consensus that from 30,000 to 107,000 Windows machines may be infected by DoublePulsar. Once hijacked, those computers may be open to other attacks.”

Shodan shows more than 100,000 devices that could be infected

John Matherly, the creator of Shodan, added detection for DoublePulsar last week.

Shodan has added detection for DOUBLEPULSAR to SMB. Affected IPs have the “doublepulsar” tag added to them. Example: https://t.co/kYZulylQ1s

— John Matherly (@achillean) April 21, 2017

Matherly told CyberScoop that Shodan had indexed over 2 million IPs running a public SMB service on port 445 that are vulnerable to DoublePulsar. Last Friday, Matherly said more than 100,000 devices could be impacted, with 45,000 confirmed to be infected thus far.

DoublePulsar infections up by nearly 77,000 since Friday

Tiago Henriques, CEO of BinaryEdge, also said the number of devices infected with DoublePulsar is still climbing. The total number of infections on Monday morning, according to BinaryEdge, has increased 76,697 since the Friday. The company showed the total number of infections per day:

• 106,410 – 21/04/2017
• 116,074 – 22/04/2017
• 164,715 – 23/04/2017
• 183,107 – 24/04/2017