10000 Windows computers may be infected by advanced NSA backdoor – Ars Technica

Enlarge / A script scanning the Internet for computers infected by DoublePulsar. On the left, a list of IPs Shodan detected having the backdoor installed. On the right are pings used to manually check if a machine is infected.

Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week's leak by the mysterious group known as Shadow Brokers.

A map of affected countries.

Below0day

Countries most affected based on IP addresses returned in a scan performed by Below0day.

Below0day

Partial results of a Below0day scan.

Below0day

Not everyone is convinced the results are accurate. Even 30,000 infections sounds extremely high for an implant belonging to the NSA, a highly secretive agency that almost always prefers to abort a mission over risking it being detected. Critics speculate that a bug in a widely used detection script is generating false positives. Over the past 24 hoursas additional scans have continued to detect between 30,000 and 60,000 infectionsa new theory has emerged: copycat hackers downloaded the DoublePulsar binary released by Shadow Brokers. The copycats then used it to infect unpatched Windows computers.

"People [who] have gotten their hands on the tools just started exploiting hosts on the Internet as fast as they could," Dan Tentler, founder of security consultant Phobos Group, told Ars. "On the part of Shadow Brokers, if their intention was to get mass infections to happen so their NSA zerodays got burned, the best [approach] is to release the tools [just before] the weekend. DoublePulsar is a means to an end."

Tentler is in the process of doing his own scan on the Shodan computer search service that makes use of the DoublePulsar detection script. So far, he has run a manual spot check on roughly 50 IP addresses that were shown to be infected. All of the manual checks detected the hosts as running the NSA backdoor. Once installed, DoublePulsar waits for certain types of data to be sent over port 445. When DoublePulsar arrives, the implant provides a distinctive response. While security practices almost always dictate the port shouldn't be exposed to the open Internet, Tentler said that advice is routinely overridden.

In a statement issued several hours after this post went live, Microsoft officials wrote: "We doubt the accuracy of the reports and are investigating." For the moment, readers should consider the results of these scans tentative and allow for the possibility that false positives are exaggerating the number of real-world infections. At the same time, people should know that there's growing consensus that from 30,000 to 107,000 Windows machines may be infected by DoublePulsar. Once hijacked, those computers may be open to other attacks.

Post updated to add Microsoft comment.

Read the original here:
10000 Windows computers may be infected by advanced NSA backdoor - Ars Technica