NSA's DoublePulsar Kernel Exploit a 'Bloodbath'

msm1267 quotes a report from Threatpost: A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power to the Conficker bug, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for years to come. MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. "This is a full ring0 payload that gives you full control over the system and you can do what you want to it," said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday. "This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it's still found in a lot of places," Dillon said. "I find it everywhere. This is the most critical Windows patch since that vulnerability." Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he's running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue. "This is easily describable as a bloodbath," Tentler said.

It's not a kernel exploit

For fuck sake, can we please stop calling these things 'exploits' as if Microsoft had nothing to do with it?

These are FEATURES, people...

I work for a medical billing software...

company, and I think all of our Internet-facing Windows servers have been compromised. We do everything we can, but there's still processes that use tons of bandwidth with outgoing traffic that we can't stop.

Re:I work for a medical billing software...

[ewhac]

...I guess I have to be Doctor Obvious here:

Why do you have Windows hosts on the public-facing Internet??? WHY WOULD YOU DO THAT PROFOUNDLY STUPID THING?!???!?

Re:I work for a medical billing software...

[gweihir]

One reason and one reason only: It is cheaper. Well, it is cheaper in the short run. That is all management focused on the year's end bonus if often caring about. I see it all the time. But even used internally, Windows "servers" are a constant problem, they never can compete to UNIX on maintenance cost, flexibility and reliability and performance. Sure, they are cheaper initially, but you pay for that for a long, long time. It becomes grossly obvious when you have global changes, and the windows servers are _always_ those lagging behind or needing special exceptions and the like. Windows on the server is a "90% OS": It only has 90% of what is really needed.

Re: I work for a medical billing software...

[vtcodger]

Or you could save $35 and some labor costs by just unplugging the telephone company's data line. If you're willing to wait a while, don't pay the telco, and they'll unplug it for you.

BTW, I haven't tried it personally. But I suspect that if the mystery traffic is on port 443 (HTTPS) and is intermixed with legitimate traffic, the Raspberry Pi may have some trouble distinguishing real from bogus. And we're all supposed to use HTTPS because it's secure, right?

Re: I work for a medical billing software...

[Doke]

I've seen the "to get real work done you use windows" argument used rationally for jobs that require using windows-only desktop software like AutoCad. However, it's growing less and less true for any other desktop task. It's blatantly false for servers. Linux now massively dominates the server market, especially in supercomputing. https://en.wikipedia.org/wiki/...

Windows was a cheap, low-end desktop OS, that has grown up enough for some people to try to use as a server. Commercial Unix is an expensive server OS, that has an add-on gui desktop interface since 1984 (long before windows existed). Linux is somewhere in between.

If the NSA wasn't evil

[Snotnose]

They would immediately tell Intel, Microsoft, and Mr Torvalds exactly what flaws they are exploiting so they could be closed. Instead, being the evil assholes they are, they won't tell anyone. Cuz we all know the NSA is smarter than the Chinese, Russians, and random hacker groups who exploit the same holes.

I guess it's a difference of philosophy. I want my computing to be as secure as possible. The NSA wants to hack anyone's system at anytime.

My philosophy is comment sense, the NSA's is pure evil considering it lessens my security.

Re: If the NSA wasn't evil

[CAIMLAS]

Ah, a "just doing my job" apologist...

Re:If the NSA wasn't evil

[Billly+Gates]

They would immediately tell Intel, Microsoft, and Mr Torvalds exactly what flaws they are exploiting so they could be closed. Instead, being the evil assholes they are, they won't tell anyone. Cuz we all know the NSA is smarter than the Chinese, Russians, and random hacker groups who exploit the same holes.

I guess it's a difference of philosophy. I want my computing to be as secure as possible. The NSA wants to hack anyone's system at anytime.

My philosophy is comment sense, the NSA's is pure evil considering it lessens my security.

Wrong. The government is ordering to put the flaw in!! If Snowden is correct under the American Patriot Act they can arrest those who do not comply making their products with backdoors so the government doesn't have to get a court order.

To me that is pure evil. You think Apple and Android LOVE putting in hidden apps that secret turn your phones into recording devices that send the GPS and conversations wihtout you knowing while appearing off?

Re:If the NSA wasn't evil

[chrish]

It's No Security Anymore isn't it?

Re: If the NSA wasn't evil

[Doke]

Banning crypto software and hardware exports was tried before, and didn't work (https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States). It's far to easy to illegally export the code, or an algorithm, on a micro-sd card. It's easy to find loopholes in the law, by printing the code on a t-shirt or in book.

Much of the code was developed outside the US. For example, AES was developed in Belgium (https://en.wikipedia.org/wiki/Advanced_Encryption_Standard).

Limiting hardware exports is also long obsolete, China now has the top two (publicly announced) supercomputers in the world (https://www.top500.org/lists/2016/11/). We don't knows what secret computers any government has, but that's irrelevant for export laws.

What do we use to scan for it?

[brxndxn]

What do we use to scan for this exploit being present on our servers and networks? With the nature of the work I am in, I connect to a lot of different client networks with admin access.. I remember with Conficker, there was a Professor's website that basically listed all sorts of information about it and how to mitigate the problem. It resulted in a lot of consulting hours for me since I read all about it and was able to completely remove it whereas previous IT people just ran a scan and removed what it found only to have a later version of Conficker installed a day or two later. This seems like another one of those opportunities..

Re:What do we use to scan for it?

> What do we use to scan for this exploit being present on our servers and networks?

1- Go to each server, and run:
2- uname -r

If you get a result that displays a valid kernel, you are safe. If you are infected, it will say:

'uname' is not recognized as an internal or external command, operable program or batch file.

3- If you are infected, you can follow the cleaning steps here:
http://www.tecmint.com/fedora-...

Re:What do we use to scan for it?

I get 4.4.0-43-Microsoft on Windows 10 Creators Update :-p

Re:What do we use to scan for it?

[Dwedit]

Having mingw, msys, and cygwin installed, I actually get results for the uname command.

"gives you full control over the system"

We've been asking for this ever since Windows 10 was released. Someone should develop and release an adaptation for regular users who want to take control of their own computers back.

TCP port 445 screening, Metasploit, Alert Logic

[raymorris]

A first-pass screening test is to see if TCP port 445 is open. Most hosts will have 445 blocked by the firewall, thereby providing a degree of protection for the vulnerable SMB.

If 445 is open, that does not mean the host is compromised, but it is likely to vulnerable. This Metasploit module is one check that can be run:

https://github.com/rapid7/meta...

More information can be found on the Alert Logic blog and our various teams will continue to post there and elsewhere as more information is made available.
https://www.alertlogic.com/res...

I know Alert Logic has other resources posted elsewhere, but unfortunately I don't know the exact URLs off hand. My team sends technical details to another team, who aggregates it with information developed by other teams, then they forward it to the PR people who post it for you to read, with other, more detailed information provided to customers. So personally I only know where I send the information internally, but not where you can read all of it.

MS08-067 Still Out There?

[aster_ken]

Who the hell is still using operating system software that hasn't been patched since October 2008? And even then, only one of the affected operating systems (Windows Server 2008) is still receiving security updates. If there are public-facing Windows 2000, Windows XP, and Windows Server 2003 machines still in the wild, I'd go so far as to say those companies deserve to be compromised.

Use Linux servers?

[TheOuterLinux]

Seriously, why do people even use Window$ on servers? Any real advantage to it? It's not like the command line dark ages anymore with Linux to figure out how to do it. Tons of videos on how to set it up too. And if you want, you can set it up graphically and then run it without graphics to save resources.

Re:Use Linux servers?

[thegarbz]

Seriously, why do people even use Window$ on servers?

There are plenty of serious answers to this question but ultimately they're unlikely to be understood by someone with a mentality that extends to calling a product "Window$" and thinking they are clever.

Tons of videos on how to set it up too.

Ladies and gentlemen: How to setup an insecure facing internet server 101: Let's not have a clue and follow some video tutorial! Now I know where the $ came from, it's all the money that will be stolen from any server set up by those who follow your expert advice.

Re:Use Linux servers?

[coofercat]

Ladies and gentlemen: How to setup an insecure facing internet server 101: Let's not have a clue and follow some video tutorial! Now I know where the $ came from, it's all the money that will be stolen from any server set up by those who follow your expert advice.

I think what you're describing is exactly how this came about in the first place. Even a modicum of firewalls and proxies would mitigate most of the attack vectors for this exploit, yet we see lots of infections. That sounds like lots of people set things up without properly understanding them.

Unplug it?

[Kludge]

there's still processes that use tons of bandwidth with outgoing traffic that we can't stop.

Unplug the computer?