Mediaboss Marketing

By Ms. Smith, Network World | Apr 24, 2017 7:50 AM PT

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Your message has been sent.

There was an error emailing this page.

The number of Windows computers infected with NSA backdoor malware continues to rise sinceShadow Brokers leaked the hacking tools on April 14.

Two different sets of researchers scanning for the DoublePulsar implant saw a significant bump in the number of infected Windows PCs over the weekend.

For example, Dan Tentler, CEO of the Phobos Group, suggested that Monday would not be a good day for many people, as his newest scan showed about 25 percent of all vulnerable and publicly exposed SMB machines are infected.

On Sunday, Tentler had scanned 1.17 million hosts and found 33,468 to be infected.

The infection rate had been holding steady at 2.85percentbefore it climbed to 2.91 percent and then 2.95 percent. Tentler explained:

It is important to note that DoublePulsar is like a stealthy malware downloader; infected devices are open for more exploitation, as it can be used to download other malware.

The presence of DoublePulsar doesnt mean theyre infected by the NSA. It means there is a loading dock ready and waiting for whatever malware anyone wants to give it, Tentler told CyberScoop. The chances are none that all these hosts [were hacked by] the NSA. It is effectively trivial to go compromise all these hosts with the flick of a wrist.

Elsewhere, using the detection script developed by Luke Jennings of Countercept, security firm Below0Day tweeted that it had detected 30,626 DoublePulsar implants on April 18. Of those, 11,078 were in the U.S. A few days later, Below0Day had detected an additional 25,960 implants.

On Sunday, Below0Day wrote:

On the afternoon of April 21st, we initiated another masscan to get a new list of hosts with open 445 port. This time around we identified 5,190,506 hosts with port 445 open. We then ran Countercepts detect script and identified 56,586 hosts with DOUBLEPULSAR SMB implant.

The U.S. was still the most infected country, but 14,091 DoublePulsar implants were detected this time. That's up 3,013 from a few short days ago.

It was widely reported on Friday that thousands of Windows machines were infected with DoublePulsar. As it does now, the exact number of affected Windows boxes varied, depending upon which security researcher's numbers you trusted.

Microsoft, which issued patches to mitigate most of the exploits, expressed doubts about the accuracy of the number of real-world infections. However, Microsoft did tell Ars Technica on Friday that people should know that there's growing consensus that from 30,000 to 107,000 Windows machines may be infected by DoublePulsar. Once hijacked, those computers may be open to other attacks.

John Matherly, the creator of Shodan, added detection for DoublePulsar last week.

Matherly told CyberScoop that Shodan had indexed over 2 million IPs running a public SMB service on port 445 that are vulnerable to DoublePulsar. Last Friday, Matherly said more than 100,000 devices could be impacted, with 45,000 confirmed to be infected thus far.

Tiago Henriques, CEO of BinaryEdge, also said the number of devices infected with DoublePulsar is still climbing. The total number of infections on Monday morning, according to BinaryEdge, has increased 76,697 since the Friday. The company showed the total number of infections per day:

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Sponsored Links

Go here to read the rest:
More Windows PCs infected with NSA backdoor DoublePulsar - Network World