As you have probably heard, a group known as the Shadow Brokers released a large cache of Windows tools and exploits. One of the exploits installs a kernel mode implant known as DOUBLEPULSAR. There have been several good articles written on DOUBLEPULSAR already, so I won’t detail repeat that work here.
Several of the Windows exploits in the Shadow Brokers dump were patched with MS 17-010. The timing of the patch was definitely interesting (as it was patched by Microsoft just before the exploits were released). But the recent timing of the patch means that most haven’t yet applied this patch. It’s convenient to think that everyone patches as soon as a critical patch is released, but that simply isn’t the case (even for vulnerabilities with publicly available proof of concept exploits).
After stories broke that large swaths of the Internet were infected with DOUBLEPULSAR, we were skeptical of the numbers provided by other researchers. To get to ground truth, Rendition started some of our own scans. As of April 23rd, we are seeing that more than 3% of all hosts with TCP port 445 (the vulnerable SMB service port) exposed to the Internet infected.
We don’t (yet) know how many hosts in our scanning pool represent honeypots, but these would almost certainly be in the non-infected pool. We have not yet seen a honeypot responding to DOUBLEPULSAR ping commands, but we do know of a number of honeypots that implement SMB. Honeypot elimination is on our immediate roadmap.
According to published articles, the DOUBLEPULSAR malware is non-persistent, meaning that when the infected machine reboots it will be cleared from memory. After being infected with DOUBLEPULSAR, an attacker would likely install other malware that would persist through a reboot. This means that the number of machines that have been exploited may be less (far less) than the results of a scan at any given time. A machine infected with persistent malware and then rebooted, may then be re-exploited by another attacker. The number of machines responding to DOUBLEPULSAR pings at any given time represents an absolute floow
A few more scanning notes
Some infosec pundits noted that the numbers of infected machines might be over-reported due to issues with the scanning scripts. After performing some of our own analysis (both with custom written and publicly available scripts) Rendition is confident that most of the numbers we’ve seen reported are not inflated and are not the result of problems with the scanning tools.
Our scans are also limited to machines that expose TCP port 445 to the Internet. Although this is more than 5 million machines, it represents a minuscule percentage of vulnerable Windows machines. It is almost certain that there are Windows machines in internal environments that are infected with DOUBLEPULSAR that we cannot scan. Attackers who have accessed a network through a phishing email would be able to exploit unpatched machines at will.
Are you releasing your list of infected machines?
Not at this time. The IP addresses of the machines infected with DOUBLEPULSAR are almost certainly still vulnerable to the SMB vulnerabilities patched in MS 17-010. Releasing our infected IP list would be tantamount to releasing a list of vulnerable hosts. That seems irresponsible and would expose Rendition to liability.
How do I know if I’ve been exploited?
If you represent an organization concerned that you may have been exploited, contact us and we’ll be happy to help you. If your organization has TCP port 445 (SMB) exposed to the Internet, block this immediately. Even if you have patched, MS 17-010 is certainly not the last SMB 0-day that will be discovered and defense in depth works. If you can’t patch systems (for instance, you still have Windows Server 2003 in production) Rendition can help you secure your network. Likewise, if you would like your internal network scanned for the presence of DOUBLEPULSAR (and other malware) contact Rendition Infosec and we’ll be happy to help you secure your network.