A recent leak by the hacker group known as the Shadow Brokers has revealed the existence of NSA backdoors, but it wasn’t known how wide their influence is. Now, it’s believed by many security experts that tens of thousands of computers might be infected by the National Security Agency’s highly advanced backdoor.
This implant that was named DoublePulsar was discovered on over 107,000 different Windows computers during a scan performed by Binary Edge. This is a security company based in Switzerland, and their scan has lasted several days. They’re not the only ones that did this sort of scan. another was done by Rob Graham, the CEO of Errata Security, and another one by Below0day researchers. Both of these scans revealed at least 30,000 infected devices. It’s known that DoublePulsar doesn’t leave behind any files on infected devices, which allows you to get rid of it by doing a simple reboot.
Many doubt these results, since the NSA is known for rather abandoning the mission than risking detection, and 30,000 detections are way too much for someone who acts like that. Therefore, two different theories manifested. One of them claims that the scans are picking up on something that’s been generating false positives, while the other one blames the hackers that could have started using the DoublePulsar system after the Brokers leaked info about it.
The founder of security consultant Phobos Group, Dan Tentler, has stated that “People [who] have gotten their hands on the tools just started exploiting hosts on the Internet as fast as they could. On the part of Shadow Brokers, if their intention was to get mass infections to happen so their NSA zerodays got burned, the best [approach] is to release the tools [just before] the weekend. DoublePulsar is a means to an end.”
Tentler’s also doing his own, personal scan. So far, he’s tested around 50 IP addresses that were reported to be infected and found the backdoors used by NSA. He also said that DoublePulsar waits for instructions that are to arrive at the port 445, that should never be left exposed to the internet. Unfortunately, not many people respect this, and that’s what gets them infected.
Microsoft has given an official statement soon after the post appeared, and in it, they said that the issue is being investigated. They’ve also stated that the false positive is a definite possibility in most cases, since 30,000 to 107,000 infections as really too great a number to be a real number of infections. However, they’re still in the process of investigating the matter and have warned that once infected devices could be open to new attacks.