Slashdot Mirror
NSA's DoublePulsar Kernel Exploit a 'Bloodbath' (threatpost.com)
msm1267 quotes a report from Threatpost: A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power to the Conficker bug, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for years to come. MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. "This is a full ring0 payload that gives you full control over the system and you can do what you want to it," said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday. "This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it's still found in a lot of places," Dillon said. "I find it everywhere. This is the most critical Windows patch since that vulnerability." Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he's running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue. "This is easily describable as a bloodbath," Tentler said.
For fuck sake, can we please stop calling these things 'exploits' as if Microsoft had nothing to do with it?
These are FEATURES, people...
company, and I think all of our Internet-facing Windows servers have been compromised. We do everything we can, but there's still processes that use tons of bandwidth with outgoing traffic that we can't stop.
And you can expect to find it used in the wild in about a few seconds next...
(At least, luckily it got discovered though public channels : It got published by shadowbrocker and got analysed by experts.
So at least our sysadmin have heard about it.
Security solutions vendor will try to get ways to detect and neutralize it.
Imagine if instead it was discovered by a few blackhats who reverse engineered a sample, and decided to incorporate the technology into their exploits, without the information ever reaching the public).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
They would immediately tell Intel, Microsoft, and Mr Torvalds exactly what flaws they are exploiting so they could be closed. Instead, being the evil assholes they are, they won't tell anyone. Cuz we all know the NSA is smarter than the Chinese, Russians, and random hacker groups who exploit the same holes.
I guess it's a difference of philosophy. I want my computing to be as secure as possible. The NSA wants to hack anyone's system at anytime.
My philosophy is comment sense, the NSA's is pure evil considering it lessens my security.
https://www.youtube.com/watch?...
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
See subject: MS has contracts w/ gov't. - NSA says "You wanna keep 'em? Don't patch these 'backdoors' or else" & yes folks - THAT IS WHY IT GOES ON - it's always money (the root of all evil).
* Same game corporatists pull on local state officials like Governors or Senators - we don't buy plant/property/equipment - we LEASE so we can take off on your ass whenever we wish - so, do you THINK you'll get reelected IF YOU DON'T DO AS WE WISH? Guess again, when 10,000++ of your constituents lose jobs when we make you be OUR GOOD MONKEY stooge (& you WILL do as we say).
APK
P.S.=> "Welcome to the REAL world, Neo" - the answer to 99/100 questions? The "Unholy Dollar" - follow the money... apk
Usually this kind of stuff is delivered by first monitoring your IP address for your search terms. Then, in your future searches they replace the URL link returned in the search results with a link to the malware and when you click the link: baam! you are infected...
It is easy to be a an arm chair quarter back, but.... Anyone with half a brain knew this would happen eventually. There do exist moral people, some dumb ones, some smart ones. In the former case stupidity trumps crooks all the time.
When MS introduces spyware or malware into the OS such as with win10, people say, "no problem, i just won't update to that."
But eventually whatever you are running (assuming Windows for the purpose of discussion) will be obsoleted and no longer getting security fixes. You will be vulnerable to an ever increasing amount of exploits like this.
So yes, you can use Linux which is free to update. But if the entire non-technical world shifts to Linux, how long do you think it will be any better security than Windows is? The pressure to comply with the wishes of the masses will be overwhelming, and it will grow its own set of problems coming from trying to endlessly simplify it so the PHB can use it. It will have security exploits injected in very non-obvious ways by "contributors", who unbeknown to anyone are on the NSA payroll. (If that hasn't happened already...)
You can't avoid this by staying behind.
What do we use to scan for this exploit being present on our servers and networks? With the nature of the work I am in, I connect to a lot of different client networks with admin access.. I remember with Conficker, there was a Professor's website that basically listed all sorts of information about it and how to mitigate the problem. It resulted in a lot of consulting hours for me since I read all about it and was able to completely remove it whereas previous IT people just ran a scan and removed what it found only to have a later version of Conficker installed a day or two later. This seems like another one of those opportunities..
--- We need more Ron Paul!
I think it's about time for the Butlerian Jihad ;-)
Seriously, every new technology just gives greed and hate more power. There seems to be nothing anyone can do about it, which baffles me. Why can't they catch ransomware assholes and throw them into jail for a long long time? They can do anything else but catch the bad guys. WTF - must be no MONEY in it. MONEY MONEY MONEY. That's the only arbiter of anything in our broken 'culture'.
We've been asking for this ever since Windows 10 was released. Someone should develop and release an adaptation for regular users who want to take control of their own computers back.
Took me a while to find. They misspelled the name 'Dylan'. The link to the analysis is here:
https://zerosum0x0.blogspot.co...
The US and UK security services have had a few options to get standard OS, hardware and set crypto accepted by most users over most decades.
International standards. Banking and payments, mil, police cooperation, educational grants and charity.
Get a free US computer system with working crypto for a nation that can link to the world.
If a nation wanted to network it would have to accept some US backed crypto, software, crypto and OS.
Cost could be kept very low or products offered as part of deals, charity or some common need.
Often full of trapdoors, backdoors or just junk crypto that would allow 5 eye nations in.
The 1980's saw a change to the desktop computer and a lot of new OS backed by different nations. A nations own software and very different OS designs and even some good crypto.
All that had to be corrected until most of the world returned to US backed OS, US standard crypto and hardware.
Mobile phone, smartphones always had police tracking, logging by design as connected to any telco globally.
The other trick to is out price any emerging crypto standard that might work.
US and UK backed standards become free with the weak crypto. The good private sector crypto that works is priced out of the market or "proved" in some tech media review not to work. Hard to make money when junk crypto is free with the OS, network or hardware.
The use of open source is not an issue to the security services. The international crypto standards are set, the end users use US operating systems and networks.
Why bother with open source when the crypto standards are weak, the enduser device is junk or the global telco network is able to track all use?
The NSA and GCHQ are using the same methods to work around Linux as they did emerging 1980's OS in different nations.
Just push any international standard over open source efforts. Once the user has to install software, hardware to "network" "share" "work as a server" "chat" "VOIP" or "encrypt" on set standards the OS is not an issue.
Plain text and collect it all is the result wanted.
Study how the UK and US spy. The plain text, bulk collection for later language translation and sorting.
Consider France into the 1950's. All of Frances embassy codes and spy work was been collected in plain text by the US and UK.
France understood all its spies could not have been turned globally on average. Its embassy staff around the world passed loyalty tests as expected.
All the information kept on flowing out. Finally France looked at its secure telco and crypto hardware and found plain text end to end the issue.
1920's, 1940's, 1950's, 2015 collect it all in plain text and sort has always been the preferred method.
Two methods can help. Fill any public network with junk files, work, fictional projects. Pure internal fiction thats updated everyday with real meetings, movements.
An internal project hinted at may not exist but everything around the project looks real to an outside observer using a network to spy.
Option two, go for the vault, paper and typewriter, no smartphone, no networked watch, no desktop computer in the vault. Very hard work to run a company of any size but the very best new ideas are kept a bit more secure for longer.
Domestic spying is now "Benign Information Gathering"
A first-pass screening test is to see if TCP port 445 is open. Most hosts will have 445 blocked by the firewall, thereby providing a degree of protection for the vulnerable SMB.
If 445 is open, that does not mean the host is compromised, but it is likely to vulnerable. This Metasploit module is one check that can be run:
https://github.com/rapid7/meta...
More information can be found on the Alert Logic blog and our various teams will continue to post there and elsewhere as more information is made available.
https://www.alertlogic.com/res...
I know Alert Logic has other resources posted elsewhere, but unfortunately I don't know the exact URLs off hand. My team sends technical details to another team, who aggregates it with information developed by other teams, then they forward it to the PR people who post it for you to read, with other, more detailed information provided to customers. So personally I only know where I send the information internally, but not where you can read all of it.
Who the hell is still using operating system software that hasn't been patched since October 2008? And even then, only one of the affected operating systems (Windows Server 2008) is still receiving security updates. If there are public-facing Windows 2000, Windows XP, and Windows Server 2003 machines still in the wild, I'd go so far as to say those companies deserve to be compromised.
I wasn't aware that intelligence (in the cognitive sense) had anything to do with nationality. The NSA is certainly better funded than the FSB and enjoys better access to communications given the US' status as the defacto internet hub (although that's change) but "smarter"... no. The US and Russia (nee' USSR) have been equal sparring partners in the intelligence game for a long time.
Someone at Threatpost has been watching too much Mr Robot.
Postulate:
1. these leaks are part of the same group from Russia hacking the US we've been seeing out of Wikileaks.
2. Ergo Putin has all these holes already, has already been exploiting them, and thus has access to any passwords and critical security systems connected to those exploits.
Postulate 2:
1. Putin's hackers also have access to any current NSA secret zero -day exploits, because when Trump got into power and he sent his men into the CIA and NSA, shortly after, Putin arrested some of its people for treason. These were believed to be the leakers of the Trump memos. Putin got those names from somewhere and Trump's group seems the likely source given the timing and his 'special' help in the election.
2. So if NSA and CIA cannot protect their secrets from Trump's group, they cannot protect any zero day exploits they have now.
As ever, the fix is open source, vet code carefully, don't put critical info on internet facing servers. Don't connect critical systems to open networks.
There are no good guy only backdoors, close all those backdoors. A good guy group is only one Trump away from being turned into a bad guy group.
This kind of problem is inevitable, when the apparatus of state has been rogue, for as long as the US military establishment. At least they can be brought to justice in courts across the world for their criminal activity.
Of course it isn't *sigh*
I didn't apply Windows Updates in March -- but I checked for new updates a week ago, and four security-related updates were downloaded and installed. The one update which seems which it might include the March fix is the following:
* April, 2017 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4015549)
But... When I look at the details for that update, and try to find all of the updates which that rollup might include, I cannot find mention of "MS17-010" or "4013389".
How can I determine whether the April rollup mentioned above has the fix? And if I didn't do any updates in March, and I only did updates in April, can I expect that I would get whatever security updates to date that were missing from my system?
I would be grateful for feedback !
Seriously, why do people even use Window$ on servers? Any real advantage to it? It's not like the command line dark ages anymore with Linux to figure out how to do it. Tons of videos on how to set it up too. And if you want, you can set it up graphically and then run it without graphics to save resources.
Spend the money you saved on Windows to fix the issue and double that until you're all good again.
ahh i see you are talking about systemd without talking about systemd, nice, nice
See subject & the fact that malwarebytes' folks verified my sourcecode as safe & so did VirusTotal https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/
APK
P.S.=> Tell us: How does EATING YOUR LYING WORDS taste? Like your FOOT in your MOUTH ramming them back down your throat washed down by the bitter taste of SELF defeat, you libeling little UNIDENTIFIABLE anonymous weasel?? Yes... apk
I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell
his hosts program is actually pretty good by xenotransplant
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg
I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon
take a look at the APK hosts file engine by SuperKendall
APK is kinda right. I've tried his hosts file generating software. It works by bmo
I like your host file system by Karmashock
I find your hosts file admirable by vel-ex-tech
* My code's liked + recommended & hosted by Malwarebytes' hpHosts!
APK
P.S.=> Let see code from an UNIDENTIFIABLE anonymous snide weasel like you do better... apk
there's still processes that use tons of bandwidth with outgoing traffic that we can't stop.
Unplug the computer?
Thesis vs. AntiThesis for "order out of chaos" (order ab chao) for those running the show via Jesuits @ the top - you see it in "democrat" vs. "republican" AND "islam" vs. "christianity" (what's taught to those who are 'cattle/goyim') to keep you fighting one another UNTIL you can't take it anymore & submit (to those that worship "the lightbringer" who wanted to be God, which IS their stated goal, that "Man=God").
* Think that's what's NOT going on? Guess again - Jim Morrison said it best in "You're ALL slaves" & YES, YOU ARE THE PRODUCT (a giant mindgame to get numbers, tools/sychophants/bootlickers/cronies that are merely disposable cannon-fodder assets...) - we're ALL getting "played" & yes, playing ourselves falling victim to it (not me, not anymore, for decades now).
APK
P.S.=> IF I told you what's REALLY going on (I am, you dig up the details) & has been for MANY centuries? You wouldn't like it (two always, divided, for order out of chaos & even population reduction via wars etc. - political parties, religions (for the "dumb masses" NOT the reserved knowledge of "the ILLUMINATED") - Read Manley Palmer Hall OR Albert Pike, you get it, REAL fast... apk
Can anyone address as to whether any of the major AV apps (Norton, Kaspersky, Bitware, McAfee, ...) are working on finding/remediating this crap?
Self-importance and self-indulgence is the root of ALL evil.
Are you fucking serious? You'd only get remotely hacked without a firewall protecting Port 445. The default firewall for public interface only allows remote traffic from local subnet. You should be fired for incompetence.
Big Talking BROCKMIRE the BLOWHARD (wannabe expert w/ nothing to show) face the music you do nothing dildo https://it.slashdot.org/comments.pl?sid=10554305&cid=54337959/
* You little punk nobody "ne'er-do-well" zero...
APK
P.S.=> "The great brockmire" - FULL of HOT BLOWHARD AIR, no substance, hahahahaha (truer words were never spoken on slashdot)... apk