News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • DoublePulsar infections picking up steam

    Home Forums AskWoody blog DoublePulsar infections picking up steam

    Viewing 6 reply threads
    • Author
      Posts
      • #110567 Reply
        woody
        Da Boss

        If you don’t have MS17-010 installed, better get off your duff.

        Good point from Michael Horowitz:

        99.99% of the time ShieldsUP does not scan the computer it is run from, it scans the router the computer is connected to. Also, if the computer is using a VPN, it scans the VPN server rather than the router or the computer.

        What you wrote is true, but its not the whole story. That is, while a PC is connected to the router that was scanned, it is safe. But, if and when it connects to the Internet through another router, it may not be safe.

        [See the full post at: DoublePulsar infections picking up steam]

        1 user thanked author for this post.
      • #110584 Reply
        thymej
        AskWoody Lounger

        Not that I have any PCs that have SMB seen on the internet (I’m 100% silent at ShieldsUp), but is there a simple test (or manual test) to see if you been infected with DoublePulsar?

        • #110590 Reply
          anonymous
          Guest

          I wouldn’t exactly call it simple, but I already had python27 loaded. So using the script on Github was simple.

          Shadow Brokers and what the leaks mean to Windows users

          & Post 109003

          Read More about the github script: Using the Raw view copy / paste into notepad++ and save to your c:\python27\scripts

          Get the python-2.7.10 and VCForPython27 installs here: NordVPN site. Steps 3 and 4 after you unzip the package.

          You’ll look at the examples on Countercept’s Git and enter the command against an ip on your lan that has Samba running.

          For example:
          Some routers have USB 2 / 3 that have Samba servers, OpenWRT has packages that run Samba in Chaos Calmer etc.

          A tool to verify that SMB1 SMB2/SMB3 are actually off in your Windows environment:
          You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet.

          To obtain the current state of the SMB server protocol configuration, run the following cmdlet:
          Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol

          To disable SMBv1 on the SMB server, run the following cmdlet:
          Set-SmbServerConfiguration -EnableSMB1Protocol $false

          To disable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:
          Set-SmbServerConfiguration -EnableSMB2Protocol $false

          To enable SMBv1 on the SMB server, run the following cmdlet:
          Set-SmbServerConfiguration -EnableSMB1Protocol $true

        • #110603 Reply
          thymej
          AskWoody Lounger

          So if I read Github write up correctly (not that I read it in complete detail yet) you can only test for infection my looking at your network traffic? There is no way of verifying the OS files and or registry yet for infection?

      • #110595 Reply
        anonymous
        Guest

        How can one correct the “ping reply” test shown on the article?

        1 user thanked author for this post.
        • #110608 Reply
          MrBrian
          AskWoody_MVP

          If you have a router, there may be a relevant setting in there.

          • #110622 Reply
            anonymous
            Guest

            I do have a router, and all the systems behind it came up with the same results, “stealth” both on 445 and 139, and failed on the “ping reply” test…

            What should I look into exactly? I have searched a bit around and found nothing… I’m using a TPLink router by the way…

            • #110636 Reply
              MrBrian
              AskWoody_MVP

              I have a TP-Link router also. On mine the relevant setting is “Ignore Ping Packet From WAN Port” which I changed from unchecked to checked.

              • #110639 Reply
                anonymous
                Guest

                Thanks a lot mate!

                Do you know if checking it may affect anything or cause any side effects? In gaming maybe?

              • #110649 Reply
                satrow
                AskWoody MVP

                Nothing noticed here, including with gaming, on my TP-Link.

                BTW, it’s best to turn off Remote Management, TR069, as well – unless, of course you use it.

              • #110670 Reply
                anonymous
                Guest

                I’ll be running a couple tests here because I’m worried it could break something…

                Remote management is already off… This is a big one really, most people don’t even look up in what setting is it in…

                I’ve noticed yesterday that my router had a port opened in UpNp for Teredo… Why is that?

              • #110677 Reply
                anonymous
                Guest

                @ anonymous#110670

                From one of Noel Carboni’s posts, Teredo is one of the allowed incoming rules in Windows Firewall, ie “Edge traversal Teredo Authorization Sublayer
                ◦ Teredo socket option opt out block filter”
                . . For further info, please refer to …
                https://serverfault.com/questions/89824/windows-advanced-firewall-what-does-edge-traversal-mean

              • #110690 Reply
                anonymous
                Guest

                Continuing from above, please refer to Noel Carboni’s post at …

                A Description of My Quite Effective Security Environment (Long)

      • #110598 Reply
        anonymous
        Guest

        ? says:

        I had to “stealth” my router’s IPV4 firewall. I found a switch in advanced settings. I finally passed Steve Gibson’s ShieldsUp after years of trying to close the ICMP Echo Request on XP, Vista and Windows 7. I had tried closing everything per machine to no avail, then after the turmoil caused by the revelations on SMB last week I took another stab at it and found out that changing the setting in the router closed that door.  Thank heavens? I’m sure there are many other ways an expert can walk around anyone’s network…

        • #110631 Reply
          Noel Carboni
          AskWoody_MVP

          I’m sure there are many other ways an expert can walk around anyone’s network…

          Not really, no, not without getting your (or your computer’s) help (e.g., by sending you an eMail with malware in it and getting you to inadvertently install it, or running software as part of an ad that you haven’t blocked). Or physically coming to your location and finding vulnerabilities in your wifi. Or breaking into your house and plugging-in to your Ethernet.

          If the bad guys can’t connect to anything in your network remotely, not even your router, it’s pretty much impossible for them to initiate anything that way.

          All too many home routers come configured with an ability to manage them remotely, and all too many users either don’t know that or don’t have the wherewithal to change the password.

          -Noel

          • #110650 Reply
            anonymous
            Guest

            ? says:

            Thanks for your insight Noel,

            The malware problems I’ve had in the past seem to have jumped aboard through flash on a poisoned page. I was always able to freeze and examine the injected offenders through process explorer and then dismiss them. I closed all my incoming email long ago after getting daily attack come-ons from everywhere ’round the globe (except Yahoo which has stayed viable despite all the recent security give aways). No drive-by aircrackers (except maybe Google map people) nor thankfully any untoward break-in ethernet snatchers or trick thumbdrives.

            The ICMP echo request/ping problem was vexing until I finally found the IPV4 Firewall Stealth Mode switch on the DSL gateway. I played with all the Windows settings for years and still failed the GRC ShieldsUP! test until I stealth-ed the firewall the other day. So, hurray for small victories!

            1 user thanked author for this post.
            • #110676 Reply
              Noel Carboni
              AskWoody_MVP

              Knowing I had reconfigured my Cisco router not to respond to PING a long time ago, and remembering that it was not as straightforward as finding a “don’t respond to PING” setting, I went back and looked. Sure enough, I (re)discovered that it’s buried in a setting called “Filter Anonymous Internet Requests” in the Security > Firewall section.

              By the way, I’ve had a pretty good experience with blacklisting known badware sites + reconfiguring my browser NOT to run active content from other than my Trusted Sites zone (among a few other things).

              More about what I have set up is documented here:

              A Description of My Quite Effective Security Environment (Long)

              -Noel

              1 user thanked author for this post.
      • #110610 Reply
        KarenS
        AskWoody Lounger

        I had KB 4012215 installed but was advised to uninstall it during my issues (which still continue) with MSE giving a false positive scan. Does anyone have a safe link to install it again for Windows 7 64 bit?

        • #110614 Reply
          Kirsty
          Da Boss

          The link to your Group A March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1 can be found here:
          http://catalog.update.microsoft.com/v7/site/search.aspx?q=4012215

          Click on the relevant version to download in the update catalog.

          1 user thanked author for this post.
          • #110616 Reply
            KarenS
            AskWoody Lounger

            Thanks for your quick reply Kirsty…..just to be sure is the one I click on the second one from the bottom?

            • #110618 Reply
              Kirsty
              Da Boss

              Yes, as it currently shows when I viewed it, you should click Download (far right) on the second to last row, being Windows 7 x64 (64-bit). 🙂

              1 user thanked author for this post.
              • #110619 Reply
                KarenS
                AskWoody Lounger

                Does installing the KB that way work the same way as if I installed it through the WU?

                Not sure what to do after clicking on the install button because I have only ever done updates through the WU service every month.

              • #110620 Reply
                PKCano
                Da Boss

                To install the patch manually:
                Control panel\Administrative Tools\Services
                Scroll down to Windows Update Service and highlight it.
                On the top left click on “Stop” to stop the service
                Double click the patch, give it permission to install, then reboot when asked.

                1 user thanked author for this post.
              • #110630 Reply
                KarenS
                AskWoody Lounger

                I couldn’t find out how to turn off the WU service your way so I did it through the task manager. When I installed the update and then rebooted my Microsoft Security Essentials program did not open in the task bar and wasn’t sure how to get it to show up again. According the the task manager it was running but I couldn’t see the icon. I had to uninstall and reinstall the program before it would show up in the task bar again. Hopefully it will now open when I reboot again.

              • #110632 Reply
                PKCano
                Da Boss

                “Stop” is a link (usually blue) on the left side at the top of Services
                Screen-Shot-2017-04-24-at-8.33.35-PM

                Attachments:
                1 user thanked author for this post.
              • #110645 Reply
                KarenS
                AskWoody Lounger

                That is exactly what I used I just went through the task manager to get at it. 🙂

              • #110641 Reply
                Noel Carboni
                AskWoody_MVP

                Or you can right-click on the Service and choose Properties to see all you can do with it. In my case I leave it Stopped and Disabled until such time as I want to initiate an update check.

                ServiceProperties

                ScreenGrab_NoelC4_2017_04_24_220953

                -Noel

                Attachments:
                1 user thanked author for this post.
      • #110657 Reply
        anonymous
        Guest

        Fyi, my Linux Mint 17.3 system passed the GRC’s Instant uPnP Exposure Test and Specified Custom Port 445 Probe Test(= Stealth).

        My Home-router has it’s default Admin password changed and Remote Management disabled. My Linux system has the gufw Firewall installed.

        • #110662 Reply
          anonymous
          Guest

          Continuing from above, …

          my Win 7 system is showing the same results for the GRC/ShieldsUP test, ie pass or Stealth. I have a Dual-boot set-up.

          My Win 7 is in Group W and not patched with the March 2017 update. Windows Firewall is On and Remote Assistance & Desktop are Off.
          . . I normally and usually connect to the Internet with my Limited/Standard User Account and not with my Admin Account, ie my Admin Account is usually only used for installing programs and updates, and making configuration changes.

          Hackers are usually not interested in ordinary folks like me, ie a non-value target. Who did the NSA target with Eternalblue in 2011-2013, eg by first scanning for vulnerable computer systems?
          . . Anyway, if I do get the Double Pulsar/Eternalblue, I believe I can completely recover by just doing a clean reinstall of Win 7.

      • #114824 Reply
        anonymous
        Guest

        For Win 10, build 1511, I belive you have a typo.  Shouldn’t it be 10586.839 or higher, rather than 105867.839?

        Edit to remove HTML

    Viewing 6 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: DoublePulsar infections picking up steam

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.