More on DoublePulsar

Topic

New Reply

Curiouser and curiouser… Dan Goodin on Ars Technica: On Tuesday, security firm Countercept released an update to the DoublePulsar detection script i
[See the full post at: More on DoublePulsar]

6 users thanked author for this post.

Elly, BobbyB, HiFlyer, Pepsiboy, Kirsty

Reply | Quote

Replies

MS & NSA??? Not as strange bedfellows as folks might think.

Dave

3 users thanked author for this post.

BobbyB, HiFlyer

Reply | Quote

I found this article one year ago to be enlightening. Just another reason you can’t rely on Microsoft for security; you have to learn to take matters into your own hands to some degree. Security failings are deliberately introduced into their software. In the case of Win10, it’s front doors and back doors. They don’t care about security. Anyway, I digress.

1 user thanked author for this post.

Reply | Quote

@ Sessh

Yes, agree.

NSA backdoors and frontdoors in Win 10 is likely being backported to Win 7/8.1 through hidden updates of Windows Update. This is one of the main reasons for being in Group C or W.

1 user thanked author for this post.

Reply | Quote

Security failings are deliberately introduced into their software. In the case of Win10, it’s front doors and back doors. They don’t care about security.

This is spam and if you were significant for Microsoft, you could be sued by them.
You are probably lucky for not being significant enough for Microsoft.

1 user thanked author for this post.

Reply | Quote

Actually, they’d want to sue the website I linked to and while they’re at it, they can sue this site and this site for reporting on this in 1999. Microsoft has intentionally built NSA back doors into Windows since the late 90’s. While they’re at it, they can also sue this site that shows Microsoft still works with the NSA in this way by giving them back door access to Skype and Hotmail and helping them to circumvent MS’s own encryption. As a matter of fact, Microsoft were the first ones on board with the NSA Prism program in 2007. I’m not in line to be sued, but even if I was, there’s a line miles long ahead of me.

3 users thanked author for this post.

HiFlyer, Elly

Reply | Quote

From http://blog.binaryedge.io/2017/04/21/doublepulsar/:

“Total number of infections:

106,410 – 21/04/2017
116,074 – 22/04/2017
164,715 – 23/04/2017
183,107 – 24/04/2017
243,894 – 25/07/2017”

3 users thanked author for this post.

Elly, Kirsty

Reply | Quote

There is a link on that blog that leads to a IP testing… Which came negative here… But if it came positive, what should one do?

 

If it is a non-persistent malware, after a reboot should the result come clean?

1 user thanked author for this post.

Reply | Quote

In that case, I think one should reboot to get rid of the backdoor, but unfortunately it may already have been used to load other malware onto the computer.

1 user thanked author for this post.

Reply | Quote

Other malware which probably wouldn’t be fileless as DoublePulsar itself, I guess… And hopefully, other malware that is traceable to the correct scanning tools, is this somewhat correct logic or I’m taking it as something too simple?

Also MrBrian, do you think systems with port 445 flagged as “stealth” or “closed” could be considered “safe” against DoublePulsar from internet side (as long as internal network communication with other devices is not taken into account)?

Thanks again for the help MrBrian… Not the first time I’ve thanked you and for sure won’t be the last!

1 user thanked author for this post.

Reply | Quote

I think you’re right, and yes, respectively. You’re welcome :).

1 user thanked author for this post.

Reply | Quote

For those who missed it:

Woody provided a link to an online Port 445 scanning tool in InfoWorld’s article ‘More Shadow Brokers fallout: DoublePulsar zero-day infects scores of Windows PCs’
“Chances are good that your local machine isn’t susceptible to getting infected directly from the internet, but it may be open to infections from other machines on your local network. If you want to see whether your tail is hanging out in the cloud, run Steve Gibson’s venerable ShieldsUP! Scanner.  Type 445 in the Input box, then click User Specified Custom Port Probe. If the scan comes up Stealth or Closed, you’re not vulnerable to being infected directly from the internet.”

1 user thanked author for this post.

Reply | Quote

“344,881 – 26/04/2017”

1 user thanked author for this post.

Reply | Quote

“428,827 – 27/04/2017”

2 users thanked author for this post.

HiFlyer

Reply | Quote

I see that some folks are comparing it to Conficker.

Wow.

2 users thanked author for this post.

HiFlyer

Reply | Quote

For all the discussion, all I’ve learned so far is that it doesn’t change any files on the disk; it just runs in RAM.

So how does one detect it running in RAM? Is there an extra process running that’s not normally there? Does it piggyback in a svchost.exe? Patch the kernel in RAM so that it works differently? Why isn’t this information out there?

-Noel

2 users thanked author for this post.

ch100

Reply | Quote

I’m not sure if these two analyses (which have been posted at this site before) are helpful:

https://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/

https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html

5 users thanked author for this post.

HiFlyer, Elly, ch100, Noel Carboni

Reply | Quote

Thanks. Exactly the kind of info I was looking for, and somehow missed before.

-Noel

2 users thanked author for this post.

MrBrian

Reply | Quote

From https://twitter.com/GossiTheDog/status/856631418167971841:

“DoublePulsar is purely a kernel level remote backdoor. It has no payload. You use it to own, then load payload later.”

2 users thanked author for this post.

ch100

Reply | Quote