• NSA DoublePulsar malware has infected 36,000 computers

    From Virus Guy@1:396/4 to All on Wed May 10 00:06:30 2017
    From: Virus Guy <Virus@Guy.C0M>

    NSA DoublePulsar malware has infected 36,000 computers

    http://techgenix.com/nsa-doublepulsar-malware/

    A report by BleepingComputer's Catalin Cimpanu, using research from the cybersecurity firm Below0Day, has identified a large number of
    infections stemming from an NSA-developed malware downloader. Called DoublePulsar, the malware was first identified in the most recent Shadow Brokers dump of “implants.” DoublePulsar functions as a malware and
    exploit downloader. Once it infects a system, DoublePulsar then begins
    to download and install various powerful strains of malware via
    exploits. Such exploits created by the NSA that are found in
    DoublePulsar include EternalBlue, EternalChampion, EternalSynergy, EternalRomance, EmeraldThread, or EducatedScholar.

    https://www.bleepingcomputer.com/news/security/over-36-000-computers-infected-with-nsas-doublepulsar-malware/

    These exploits target, as was pointed out by Cimpanu, SMB port 445
    connections related to Microsoft Windows. Microsoft, to its credit, did
    in fact release patches to block the NSA malware from utilizing
    exploits. The problem is, however, that security researchers at
    Below0Day discovered numerous computers already infected with
    DoublePulsar.

    To discover the DoublePulsar infection, Below0Day researchers scanned
    roughly 5.5 million externally exposed SMB ports that, if their Windows
    OS is unpatched, would be susceptible to the malware. Next, the team
    took those IP addresses used in the initial scan and utilized a tool
    created by Luke Jennings of Countercept. As explained by Jennings, the
    tool is “a set of python2 scripts for sweeping a list of IPs for the
    presence of both SMB and RDP versions of the DoublePulsar implant.”

    https://github.com/countercept/doublepulsar-detection-script

    Upon utilizing this tool, Below0Day uncovered over 36,000 computers that
    had been infected with DoublePulsar. Of these 36,000-plus infections,
    the majority of them were in the United States. See the below images
    from Below0Day to find both an example of the scan results, as well as
    an in-depth graph showing the countries most affected by DoublePulsar.

    http://techgenix.com/tgwordpress/wp-content/uploads/2017/04/DoublePulsarScanChart.jpg

    (interestingly, none appear to be in Canada)

    Some have taken me to task in my frequent critiques of government
    hacking operations. As a journalist, I am used to calls of treason or,
    as happened recently much to my amusement, being accused of working as a Russian operative. At the end of the day, however, my strong critiques
    stem from an InfoSec perspective.

    As seen from empirical evidence, the various NSA hacking tools (in this
    case DoublePulsar) have fallen into numerous hands, most certainly
    including black-hat hackers. In its reckless deployment of malware that
    nobody should have in their possession, the NSA has placed the entire
    world at risk for a powerful set of cyberattacks. The NSA's main mission
    is reconnaissance of all kinds, especially sensitive data (which is
    obtained at all costs, civil liberties be damned).

    With this in mind, imagine just how deeply compromised a system can
    become if these tools fall into the wrong hands. While the NSA swears
    that it is simply trying to protect the United States, the greatest
    irony is that the majority of the 36,000 DoublePulsar infections were
    based in America. I doubt this was the NSA's doing based on the IP
    addresses used, but rather black hats who illegally obtained the
    malware.

    The NSA, and all other entities in the global intelligence community,
    must rethink how they obtain information in the digital age.
    --- NewsGate v1.0 gamma 2
    * Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)