During the previous week, a number of security researchers took to scanning the internet for Windows systems lacking the MS17-010 patch and that are infected with the NSA’s DoublePulsar implant. Results from various researchers seemed to vary from very few up to tens of thousands. This article from Bleeping Computer indicates about 30,000 systems in the Internet are infected with the implant.
DoublePulsar is a non-persistent piece of malware that hooks into the SMB stack on infected systems, intercepting specially crafted SMB packets to run whatever code is sent to it. This sort of thing is important in the context of a spying operation, where the objective is to blend in with the background and not raise suspicion. Here is a great technical write up on DoublePulsar, in case you are interested in that sort of thing.
Here’s where I will probably get you shaking your fist at me: DoublePulsar is not the problem here. Counting DoublePulsar infected systems is interesting, but really isn’t that informative. The reboot after applying the patch MS17-010 drops DoublePulsar like a bad habit. A system that is vulnerable to MS17-010 is susceptible to all manner of malware infections. DoublePulsar itself is just a means by which to run other commands on an infected system and does not have it’s own nefarious instructions. Metasploit, among many other offensive tools, has support for MS17-010 which allows implanting arbitrary payloads. Here is a video of someone using MS17-010 to install meterpreter on a vulnerable system.
In my view, vulnerable Windows systems exposed to the Internet after April 14 are likely infected by something and rebuilt.
One final note: WHY, OH WHY, are there over 5.5 million Windows systems with port 445 exposed to the Internet?