NSA Malware ‘Infects Nearly 200,000 Systems’

Matthew Broersma,
hacker

The NSA’s Doublepulsar attack tool infected nearly 80,000 systems over the past weekend alone, according to worldwide scans

An attack tool developed by the US’ National Security Agency (NSA) and released online earlier this month has already been used to infect nearly 200,000 systems worldwide, with the number rising by nearly 80,000 over the past weekend alone, researchers said.

The Doublepulsar exploit tool had infected 106,410 systems as of Friday, with the figure rising to 183,107 by Monday, said Binary Edge, a Swiss computer security firm.

‘Beautifully designed’

The US was by far the biggest target, with nearly 70,000 infections, followed by Hong Kong with fewer than 10,000.

Binary Edge said it scanned Internet hosts worldwide that had port 445 open – the port used by Doublepulsar – and applied a detection script developed by security company Countercept.

HSBC, security

Binary Edge said Doublepulsar is “beautifully designed” and doesn’t require much technical sophistication to use, meaning online criminals have been able to rapidly adopt it since its release on 7 April.

The findings are a particular cause for concern since the security vulnerability exploited by Doublepulsar was patched in the MS17-010 fix released in Microsoft’s March update, a full month before the exploit was made public.

Ease of use

Doublepulsar is the payload of a number of NSA infection tools and once exploited allows an attacker to execute arbitrary code, effectively delivering complete control of the system.

Industry observers compared it to Conficker, a computer worm first detected in 2008 that spread widely and has proven particularly difficult to eradicate.

The difference, however, is that Doublepulsar and the other NSA tools are so easy to exploit, with researchers noting that step-by-step walkthroughs on their use have been posted on YouTube.

Doublepulsar and other materials allegedly stolen from the NSA have been published over the past several months by a group calling itself Shadow Brokers.

The most recent release included presentations and other materials suggesting the NSA compromised systems linked to the international SWIFT money transfer system in order to trace transfers linked to criminal or militant groups.

Do you know all about security in 2017? Try our quiz!