NSA Malware DoublePulsar: How To Test If Your Computer Has Been Infected
In the wake of the reveal of a number of hacking tools believed to have been developed and used by the U.S. National Security Agency, a security researcher has created a tool that will let you know if your device has been compromised by the government agency’s malware.
Security researcher Luke Jennings of the security firm Countercept wrote a script, which he has made available to download on GitHub, that is capable of detecting if a Windows device has fallen victim to an NSA attack.
Read: NSA May Have Hacked Global Banks, Shadow Brokers Release Indicates
The script, which requires a bit of programming knowhow to run, is capable of sniffing out DoublePulsar, an implant believed to be developed by the NSA to infect Windows devices and allow the agency to silently download malware and execute malicious code.
A number of security researchers have run Jennings’ script to find public-facing computers that have been hit by the NSA malware. While numbers vary—occasionally to extreme degrees—most have found more than 10,000 machines have been infected.
A test run by security firm BinaryEdge found more than 100,000 devices hit by DoublePulsar. A scan run by the firm Monday found 183,107 infected machines.
Below0Day found just over 30,000, including 11,000 devices in the U.S. were affected by the malware. A significant number of infected machines were also found in the United Kingdom, Taiwan, Korea and Germany, with smaller samples found in dozens of countries around the globe.
Read: Russian Hackers Targeting Dozens Of US Companies
There’s a number of reasons that may contribute to the wide variance of attacked machines—the primary being that since the NSA’s hacking tools were made public by an anonymous hacking group known as the Shadow Brokers, just about anyone has been able to make use of the exploit.
The second reason has to do with the design of the NSA malware itself. DoublePulsar is not designed to persist on a user’s device. This allows the implant to avoid detection, but also makes its lifespan relatively short. A simple reboot is enough to thwart the attack.
Microsoft has called into question the accuracy of Jennings’ script to detect the malware, telling Ars Technica, "we doubt the accuracy of the reports and are investigating." However, other security researchers haven’t found issue with the script yet. Dan Tentler, the CEO of security group Phobos Group, told CSO Online he inspected 50 machines the script claimed were infected and said he is yet to find a false positive.
© Copyright IBTimes 2024. All rights reserved.