• More on DoublePulsar

    Home » Forums » Newsletter and Homepage topics » More on DoublePulsar

    Tags:

    Author
    Topic
    woody
    Manager
    April 25, 2017 at 4:51 pm #110934

    Curiouser and curiouser… Dan Goodin on Ars Technica: On Tuesday, security firm Countercept released an update to the DoublePulsar detection script i
    [See the full post at: More on DoublePulsar]

    6 users thanked author for this post.
    Elly, BobbyB, HiFlyer, Pepsiboy, Kirsty
    Reply | Quote
    Viewing 2 reply threads
    Author
    Replies
    • Pepsiboy
      AskWoody Lounger
      April 25, 2017 at 8:20 pm #111004

      MS & NSA??? Not as strange bedfellows as folks might think.

      Dave

      3 users thanked author for this post.
      BobbyB, HiFlyer
      Reply | Quote
      • Sessh
        AskWoody Lounger
        April 26, 2017 at 4:44 pm #111292

        I found this article one year ago to be enlightening. Just another reason you can’t rely on Microsoft for security; you have to learn to take matters into your own hands to some degree. Security failings are deliberately introduced into their software. In the case of Win10, it’s front doors and back doors. They don’t care about security. Anyway, I digress.

        1 user thanked author for this post.
        Reply | Quote
        • anonymous
          Guest
          April 26, 2017 at 11:41 pm #111349

          @ Sessh

          Yes, agree.

          NSA backdoors and frontdoors in Win 10 is likely being backported to Win 7/8.1 through hidden updates of Windows Update. This is one of the main reasons for being in Group C or W.

          1 user thanked author for this post.
          Reply | Quote
        • ch100
          AskWoody_MVP
          April 27, 2017 at 8:41 pm #111533

          Security failings are deliberately introduced into their software. In the case of Win10, it’s front doors and back doors. They don’t care about security.

          This is spam and if you were significant for Microsoft, you could be sued by them.
          You are probably lucky for not being significant enough for Microsoft.

          1 user thanked author for this post.
          Reply | Quote
          • Sessh
            AskWoody Lounger
            April 27, 2017 at 9:31 pm #111546

            Actually, they’d want to sue the website I linked to and while they’re at it, they can sue this site and this site for reporting on this in 1999. Microsoft has intentionally built NSA back doors into Windows since the late 90’s. While they’re at it, they can also sue this site that shows Microsoft still works with the NSA in this way by giving them back door access to Skype and Hotmail and helping them to circumvent MS’s own encryption. As a matter of fact, Microsoft were the first ones on board with the NSA Prism program in 2007. I’m not in line to be sued, but even if I was, there’s a line miles long ahead of me.

            3 users thanked author for this post.
            HiFlyer, Elly
            Reply | Quote
    • MrBrian
      AskWoody_MVP
      April 26, 2017 at 10:33 am #111170

      From http://blog.binaryedge.io/2017/04/21/doublepulsar/:

      “Total number of infections:

      106,410 – 21/04/2017
      116,074 – 22/04/2017
      164,715 – 23/04/2017
      183,107 – 24/04/2017
      243,894 – 25/07/2017”

      3 users thanked author for this post.
      Elly, Kirsty
      Reply | Quote
      • anonymous
        Guest
        April 26, 2017 at 4:23 pm #111282

        There is a link on that blog that leads to a IP testing… Which came negative here… But if it came positive, what should one do?

         

        If it is a non-persistent malware, after a reboot should the result come clean?

        1 user thanked author for this post.
        Reply | Quote
        • MrBrian
          AskWoody_MVP
          April 26, 2017 at 5:10 pm #111302

          In that case, I think one should reboot to get rid of the backdoor, but unfortunately it may already have been used to load other malware onto the computer.

          1 user thanked author for this post.
          Reply | Quote
          • anonymous
            Guest
            April 26, 2017 at 6:19 pm #111308

            Other malware which probably wouldn’t be fileless as DoublePulsar itself, I guess… And hopefully, other malware that is traceable to the correct scanning tools, is this somewhat correct logic or I’m taking it as something too simple?

            Also MrBrian, do you think systems with port 445 flagged as “stealth” or “closed” could be considered “safe” against DoublePulsar from internet side (as long as internal network communication with other devices is not taken into account)?

            Thanks again for the help MrBrian… Not the first time I’ve thanked you and for sure won’t be the last!

            1 user thanked author for this post.
            Reply | Quote
            • MrBrian
              AskWoody_MVP
              April 26, 2017 at 7:03 pm #111317

              I think you’re right, and yes, respectively. You’re welcome :).

              1 user thanked author for this post.
              Reply | Quote
            • TJ
              AskWoody Plus
              April 30, 2017 at 4:18 am #111954

              For those who missed it:

              Woody provided a link to an online Port 445 scanning tool in InfoWorld’s article ‘More Shadow Brokers fallout: DoublePulsar zero-day infects scores of Windows PCs’
              Chances are good that your local machine isn’t susceptible to getting infected directly from the internet, but it may be open to infections from other machines on your local network. If you want to see whether your tail is hanging out in the cloud, run Steve Gibson’s venerable ShieldsUP! ScannerType 445 in the Input box, then click User Specified Custom Port Probe. If the scan comes up Stealth or Closed, you’re not vulnerable to being infected directly from the internet.”

              LMDE is my daily driver now. Old friend Win10 keeps spinning in the background
              1 user thanked author for this post.
              Reply | Quote
      • MrBrian
        AskWoody_MVP
        April 26, 2017 at 5:11 pm #111303

        “344,881 – 26/04/2017”

        1 user thanked author for this post.
        Reply | Quote
      • MrBrian
        AskWoody_MVP
        April 27, 2017 at 7:20 pm #111518

        “428,827 – 27/04/2017”

        2 users thanked author for this post.
        HiFlyer
        Reply | Quote
        • woody
          Manager
          April 27, 2017 at 7:40 pm #111520

          I see that some folks are comparing it to Conficker.

          Wow.

          2 users thanked author for this post.
          HiFlyer
          Reply | Quote
    • Noel Carboni
      AskWoody_MVP
      April 26, 2017 at 7:05 pm #111318

      For all the discussion, all I’ve learned so far is that it doesn’t change any files on the disk; it just runs in RAM.

      So how does one detect it running in RAM? Is there an extra process running that’s not normally there? Does it piggyback in a svchost.exe? Patch the kernel in RAM so that it works differently? Why isn’t this information out there?

      -Noel

      2 users thanked author for this post.
      ch100
      Reply | Quote
    Viewing 2 reply threads
    Reply To: More on DoublePulsar

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    June 2025
    S M T W T F S
    1234567
    891011121314
    15161718192021
    22232425262728
    2930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.