Newsletter Archives

• More on DoublePulsar

  Posted on April 25, 2017 at 16:51 CDT by woody • Comment in the Forums

  Curiouser and curiouser…

  Dan Goodin on Ars Technica:

  On Tuesday, security firm Countercept released an update to the DoublePulsar detection script it published last week. It now allows people anywhere on the Internet to remotely uninstall the implant from any infected machine…  amid the radio silence Microsoft is maintaining, the tool will no doubt prove useful to admins responsible for large fleets of aging computers.

  Windows Patches/Security DoublePulsar

• DoublePulsar infections picking up steam

  Posted on April 24, 2017 at 11:50 CDT by woody • Comment in the Forums

  If you don’t have last month’s MS17-010 installed, better get off your duff.

  InfoWorld Woody on Windows

  Good point from Michael Horowitz:

  99.99% of the time ShieldsUP does not scan the computer it is run from, it scans the router the computer is connected to. Also, if the computer is using a VPN, it scans the VPN server rather than the router or the computer.

  What you wrote is true, but its not the whole story. That is, while a PC is connected to the router that was scanned, it is safe. But, if and when it connects to the Internet through another router, it may not be safe.

  Windows Patches/Security DoublePulsar, EternalBlue, MS17-010, Shadow Brokers

• Time to get off the Group W bench – at least for a few minutes

  Posted on April 23, 2017 at 07:44 CDT by woody • Comment in the Forums

  UPDATE: Technical details have been posted by zero sum at the @zerosum0x0 blog. Bottom line, “Many of the vulnerabilities that are exploited were fixed in MS17-010, perhaps the most critical Windows patch in almost a decade.”

  UPDATE: Catalin Cimpanu, BleepingComputer: “Over 36,000 Computers Infected with NSA’s DoublePulsar Malware” and “5.5 million computers haven’t installed patches Microsoft made available for the SMB flaws exploited by the NSA tools, they are vulnerable to exploits.”

  UPDATE (Sunday morning, Central time): tweet from Below0Day: 56,586 DoublePulsar infections detected.

  

  If you haven’t yet installed March patches for Windows, listen up.

  One of those leaked NSA exploits, EternalBlue, has been pulled out of the Shadow Brokers steaming pile of malware and used to install a backdoor called DoublePulsar. Dan Goodin at Ars Technica says that:

  there’s growing consensus that from 30,000 to 107,000 Windows machines may be infected by DoublePulsar. Once hijacked, those computers may be open to other attacks.

  EternalBlue can attack any machine with the Windows “SMB” service accessible to the internet. Our tax dollars at work.

  Rik van Duinj at dearBytes has published step-by-step instructions for locating exposed SMB services, running EternalBlue, using it to install DoublePulsar, and then using DoublePulsar to run just about anything. It’s pretty straightforward.

  Yesterday Iain Thomson posted a delightful expose in The Register:

  DOUBLEPULSAR, being a nation-state-grade backdoor, is extremely stealthy and unlikely to be discovered on a hacked box unless whichever miscreant is using it gets clumsy.

  Amazon’s AWS and Microsoft’s Azure showed up on the top 100 most-infected domains as you’d expect as large hosts of customer virtual machines. Then there are systems at big names such as Ricoh in India, various universities, and machines on Comcast connections.

  Moral of the story: If you haven’t yet installed March’s MS17-010, better pull your machine out of the mothballs and get it patched. If it’s connected to the internet, it’s exposed.

  It looks like I’ll be changing the MS-DEFCON level in the next few days, to take the sting out of some other exposed problems, but for now, if you haven’t installed the March updates, better get to it.

  Not sure if you’re caught up? Here’s how to check.

  For Win10: In the Cortana search box, type winver.

  • If you have version 1703, you’re fine.
  • If you have version 1607, you need to be on Build 14393.953 or later. (Note that the documentation in the KB article is wrong.)
  • If you have version 1511, you need to be on Build 105867.839 or later.
  • If you have Build 10240 (commonly called “version 1507” but Microsoft didn’t figure out the naming until later), you need to be on Build 10240.17319 or later.

  In all cases, for Win10, if you aren’t up to those build numbers, you need to install the latest cumulative update. Follow my instructions to get your build number up to snuff, but don’t be tempted to install anything else at this point.

  For Win7: Right-click Start > Control Panel > Windows Update > View installed updates. You should have one of these listed:

  • KB 4012212 the Security-Only “Group B” patch, or
  • KB 4012215 the March Monthly Rollup “Group A” patch, or
  • KB 4015549 the April Monthly Rollup

  If you don’t have any of those listed, at a very minimum, you should download and install KB 4012212. Don’t worry about Group A or Group B at this point. Installing KB 4012212 will protect you without committing your system to either Group A or Group B. There’s a full description at @PKCano’s AKB 2000003, but if you only want the download links, look at this line:

  Mar 2017 KB 4012212 – Download 32-bit or 64-bit

  Similarly, for Win 8.1, look for these installed updates:

  • KB 4012213 the Security-Only “Group B” patch, or
  • KB 4012216 the March Monthly Rollup “Group A” patch, or
  • KB 4015550 the April Monthly Rollup

  If you don’t have any of those, look at @PKCano’s list:

  Mar 2017 KB 4012213 – Download 32-bit or 64-bit

  That’s what you need to do right now, to protect yourself from the NSA’s swirling spitstorm.

  Windows Patches/Security DoublePulsar, EternalBlue, Shadow Brokers