Observations from the latest DOUBLEPULSAR scans

Rendition Infosec completed a new scan overnight for DOUBLEPULSAR scans and the number of infections continues to rise, though only slightly.  For liability reasons, Rendition is not performing the vulnerability scan to determine vulnerable hosts.  Rendition only communicates with hosts to determine if DOUBLEPULSAR is present on a machine.  At this time, Rendition is only scanning for the SMB version of the backdoor though others are reporting the installation of an RDP backdoor as well.

According to ArsTechnica, Microsoft has played down the number of infections doubting the accuracy of the scanning results.  Rendition hopes that by publishing our scanning numbers, we can satisfy some skeptics that might dismiss results from independent researchers.  This problem is bad – and it isn’t going away.

Scanning Numbers

As of last night, Rendition found 156,511 machines infected with DOUBLEPULSAR.  A total of 1,794,197 answered requests for SMB interrogation.  

The large majority of the infections are in the US so it is possible that scanning during the US work day will show different results. For the time being, we will continue to run scans overnight in the US hours. Our US based cloud service provider has been very patient with the abuse requests they’ve received so we will continue to honor their requests for off hours scanning.

Rendition discovered 3,812,942 machines on the Internet responding to SYN requests on TCP port 445 (Normally reserved for SMB).  We are interested in why a much smaller number responded to SMB interrogation.  It may be that some machines are Samba or honeypots and because our script only checks for the non-standard SMB commands implemented by DOUBLEPULSAR.  

DOUBLEPULSAR by country

The United States has by far the most infections.  To keep the chart legible, Rendition is only displaying those countries with at least 2000 infected machines in our latest scans.  Rendition used the MaxMind geoiplookup tool for geolocation and according to that data set there are 202 unique country codes with infected machines.  This is curious since there are only 196 countries, but we are less interested in that discrepancy than the global reach of these infections.

Removing the backdoor

Updated tools have been available for a few days allowing the removal of the DOUBLEPULSAR implants remotely by anyone who chooses to do so.  The safety of these tools has not been evaluated.  Based on our own honeypot data, it seems unlikely to make a difference.  A vulnerable host on the Internet would likely be reinfected in under an hour.  

Rendition does not recommend using any published tools to remove DOUBLEPULSAR infections.  The DOUBLEPULSAR malware is a kernel mode implant and any errors in removing/deactivating the implant will cause a BugCheck (Blue Screen of Death).  Due to the vast differences in kernel versions across localizations (base languages) and service packs, it is impossible to fully test the safety of such a mass removal.  When evaluating the denial of service risk caused by a removal, it is important to remember that the removal won’t fix the problem.  Machines will remain vulnerable and will certainly be re-exploited.

Parting thoughts

If you represent an organization concerned that you may have been exploited, contact us and we’ll be happy to help you. If your organization has TCP port 445 (SMB) exposed to the Internet, block this immediately. Even if you have patched, MS 17-010 is certainly not the last SMB 0-day that will be discovered and defense in depth works. If you can’t patch systems (for instance, you still have Windows Server 2003 in production) Rendition can help you secure your network. Likewise, if you would like your internal network scanned for the presence of DOUBLEPULSAR (and other malware) contact Rendition Infosec and we’ll be happy to help you secure your network.