Number of Windows PCs infected with NSA backdoor DoublePulsar continues to rise

The number of Windows computers infected with NSA backdoor malware is continuing to rise since the Shadow Brokers leaked the hacking tools on April 14.

DoublePulsar infection rate climbing

Two different sets of researchers scanning for the DoublePulsar implant saw a significant bump in the number of infected Windows PCs over the weekend.

For example, Dan Tentler, CEO of the Phobos Group, suggested that Monday would not be a good day for many people as his newest scan showed about 25% of all vulnerable and publicly exposed SMB machines are infected.

On Sunday, Tentler had scanned 1.17 million hosts and found 33,468 to be infected.

The infection rate had been holding steady at 2.85% before it climbed to 2.91% and then 2.95%. Tentler explained:

It is important to note that DoublePulsar is like a stealthy malware downloader; infected devices are open for more exploitation as it can be used to download other malware.

“The presence of DoublePulsar doesn’t mean they’re infected by the NSA, it means there is a loading dock ready and waiting for whatever malware anyone wants to give it,” Tentler told CyberScoop. “The chances are none that all these hosts [were hacked by] the NSA. It is effectively trivial to go compromise all these hosts with the flick of a wrist.”

Elsewhere, using the detection script developed by Luke Jennings of Countercept, security firm Below0Day tweeted that it had detected 30,626 DoublePulsar implants on April 18. Of those, 11,078 were in the US; a few days later, Below0Day had detected an additional 25,960 implants.

On Sunday, Below0Day wrote:

On the afternoon of April 21st, we initiated another masscan to get a new list of hosts with open 445 port. This time around we identified 5,190,506 hosts with port 445 open. We then ran Countercept’s detect script, and identified 56,586 hosts with DOUBLEPULSAR SMB implant.

The US was still the most infected country, but 14,091 DoublePulsar implants were detected this time; that’s up 3,013 from a few short days ago.

Microsoft’s viewpoint of DoublePulsar infection numbers

It was widely reported on Friday that thousands of Windows machines were infected with DoublePulsar. As it does now, the exact number of affected Windows boxes varied, depending upon which security researchers’ numbers you trusted.

Microsoft, which issued patches to mitigate most of the exploits, expressed doubts about the accuracy of the number of real-world infections. However, Microsoft did tell Ars Technica on Friday that “people should know that there’s growing consensus that from 30,000 to 107,000 Windows machines may be infected by DoublePulsar. Once hijacked, those computers may be open to other attacks.”

Shodan shows more than 100,000 devices which could be infected

John Matherly, the creator of Shodan, added detection for DoublePulsar last week.

Matherly told CyberScoop that Shodan had indexed over two million IPs running a public SMB service on port 445 which are vulnerable to DoublePulsar. Last Friday, Matherly said more than 100,000 devices could be impacted, with 45,000 confirmed to be infected thus far.

DoublePulsar infections up by nearly 77,000 since Friday

Tiago Henriques, CEO of BinaryEdge, also said the number of devices infected with DoublePulsar is still climbing. The total number of infections on Monday morning, according to BinaryEdge, has increased 76,697 since the Friday. The company showed the total number of infections per day:

  • 106,410 – 21/04/2017
  • 116,074 – 22/04/2017
  • 164,715 – 23/04/2017
  • 183,107 – 24/04/2017
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Uncategorized

Leave a Reply