DoublePulsar: Difference between revisions
Content deleted Content added
No edit summary |
Citation bot (talk | contribs) Added date. | Use this bot. Report bugs. | Suggested by Abductive | Category:Computer security exploits | #UCB_Category 11/156 |
||
| (38 intermediate revisions by 29 users not shown) | |||
| Line 1: | Line 1: | ||
{{Short description|Backdoor implant tool}} |
|||
{{ |
{{For|the only known double pulsar star system|PSR J0737-3039}} |
||
{{linkrot|date=May 2017}} |
|||
| ⚫ | '''DoublePulsar''' is a [[backdoor |
||
{{Infobox computer virus |
|||
Sean Dillon is a senior analyst of security company RiskSense Inc. who dissected and inspected DoublePulsar. He said that it is "10 times worse" than the [[Heartbleed]] security bug and runs in [[Kernel (operating system)|kernel]] mode which grants hackers a high level of control over the computer system.<ref name="usbguy" /> |
|||
| fullname = Pulsar Vulnerability |
|||
| image = |
|||
| caption = |
|||
| common_name = |
|||
| technical_name = |
|||
* '''Double Variant''' |
|||
** Trojan:Win32/DoublePulsar ([[Microsoft]]) |
|||
** Backdoor.DoublePulsar ([[Fortiguard]]) |
|||
* '''Dark Variant''' |
|||
** Trojan.Darkpulsar ([[NortonLifeLock|Symantec]])<ref>{{cite web |title=Trojan.Darkpulsar |url=https://www.symantec.com/security-center/writeup/2017-042107-1152-99 |website=[[Broadcom#Symantec enterprise security|Symantec]] |archive-url=https://web.archive.org/web/20191003212706/https://www.symantec.com/security-center/writeup/2017-042107-1152-99 |archive-date=3 October 2019 |language=en}}</ref> |
|||
** Win32/Equation.DarkPulsar ([[ESET]])<ref>{{cite web |title=Win32/Equation.DarkPulsar.A {{!}} ESET Virusradar |url=https://www.virusradar.com/en/Win32_Equation.DarkPulsar.A/description |website=www.virusradar.com}}</ref> |
|||
| aliases = |
|||
| family = Pulsar (backdoor family) |
|||
| classification = |
|||
| type = |
|||
| subtype = |
|||
| isolation_date = |
|||
| origin = |
|||
| infection_vector = |
|||
| author = [[Equation Group]] |
|||
| ports_used = |
|||
| OS = |
|||
| filesize = |
|||
| language = |
|||
}} |
|||
| ⚫ | '''DoublePulsar''' is a [[backdoor (computing)|backdoor]] implant tool developed by the U.S. [[National Security Agency]]'s (NSA) [[Equation Group]] that was leaked by [[The Shadow Brokers]] in early 2017.<ref name="scmagazine"/>{{Citation needed|reason=Concrete evidence linking Equation Group and the NSA not found|date=October 2023}} The tool infected more than 200,000 [[Microsoft Windows]] [[Computers in the classroom|computers]] in only a few weeks,<ref>{{cite magazine|url=https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/|title=Double Pulsar NSA leaked hacks in the wild|first=Bruce|last=Sterling|magazine=Wired }}</ref><ref name="usbguy">{{cite news|url=https://www.bloomberg.com/news/articles/2017-05-04/seriously-beware-the-shadow-brokers|title=Seriously, Beware the 'Shadow Brokers'|newspaper=Bloomberg |date=4 May 2017|via=www.bloomberg.com}}</ref><ref name="scmagazine">{{cite web|url=https://www.scmagazine.com/doublepulsar-malware-spreading-rapidly-in-the-wild-following-shadow-brokers-dump/article/652518/|title=DoublePulsar malware spreading rapidly in the wild following Shadow Brokers dump|date=25 April 2017}}</ref><ref>{{cite web|url=https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokers-is-on-a-rampage/|title=Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage}}</ref><ref>{{cite web|url=https://arstechnica.com/security/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor/|title=>10,000 Windows computers may be infected by advanced NSA backdoor|date=21 April 2017 }}</ref> and was used alongside [[EternalBlue]] in the May 2017 [[WannaCry ransomware attack]].<ref>{{cite web|url=https://www.gizmodo.com.au/2017/05/todays-massive-ransomware-attack-was-mostly-preventable-heres-how-to-avoid-it/|title=Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It|first=Dell|last=Cameron|date=13 May 2017 }}</ref><ref>{{cite web|url=https://www.forbes.com/sites/thomasbrewster/2017/05/13/wannacry-ransomware-outbreak-stopped-by-researcher/#38e56ad374fc|title=How One Simple Trick Just Put Out That Huge Ransomware Fire|first=Thomas|last=Fox-Brewster|website=[[Forbes]] }}</ref><ref>{{cite web|url=http://blog.talosintelligence.com/2017/05/wannacry.html|title=Player 3 Has Entered the Game: Say Hello to 'WannaCry'|website=blog.talosintelligence.com|date=12 May 2017 |access-date=2017-05-15}}</ref> A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec.<ref>{{cite web|url=https://arstechnica.com/information-technology/2019/05/stolen-nsa-hacking-tools-were-used-in-the-wild-14-months-before-shadow-brokers-leak/|title=Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak|website=arstechnica.com|date=7 May 2019 |access-date=2019-05-07}}</ref> |
||
Sean Dillon, senior analyst of security company [[RiskSense Inc.]], first dissected and inspected DoublePulsar.<ref name="techanalysis">{{cite web|url=https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html|title=DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis|website=zerosum0x0.blogspot.com|date=21 April 2017 |access-date=2017-05-16}}</ref><ref>{{cite web|url=https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/|title=NSA's DoublePulsar Kernel Exploit In Use Internet-Wide|website=threatpost.com|date=24 April 2017 |access-date=2017-05-16}}</ref> He said that the NSA exploits are "10 times worse" than the [[Heartbleed]] security bug, and use DoublePulsar as the primary [[payload (computing)|payload]]. DoublePulsar runs in [[kernel mode]], which grants cybercriminals a high level of control over the computer system.<ref name="usbguy"/> Once installed, it uses three commands: [[ping (networking utility)|ping]], [[exit (system call)|kill]], and [[exec (system call)|exec]], the latter of which can be used to load [[malware]] onto the system.<ref name="techanalysis"/> |
|||
==References== |
==References== |
||
{{ |
{{Reflist|30em}} |
||
{{Hacking in the 2010s}} |
|||
[[Category: |
[[Category:Windows trojans]] |
||
[[Category:Computer security exploits]] |
[[Category:Computer security exploits]] |
||
[[Category:National Security Agency]] |
[[Category:National Security Agency]] |
||
{{ |
{{Malware-stub}} |
||
Latest revision as of 23:56, 14 July 2024
| DoublePulsar | |
|---|---|
| Technical name | |
| Family | Pulsar (backdoor family) |
| Authors | Equation Group |
DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017.[3][citation needed] The tool infected more than 200,000 Microsoft Windows computers in only a few weeks,[4][5][3][6][7] and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack.[8][9][10] A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec.[11]
Sean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar.[12][13] He said that the NSA exploits are "10 times worse" than the Heartbleed security bug, and use DoublePulsar as the primary payload. DoublePulsar runs in kernel mode, which grants cybercriminals a high level of control over the computer system.[5] Once installed, it uses three commands: ping, kill, and exec, the latter of which can be used to load malware onto the system.[12]
References
[edit]- ^ "Trojan.Darkpulsar". Symantec. Archived from the original on 3 October 2019.
- ^ "Win32/Equation.DarkPulsar.A | ESET Virusradar". www.virusradar.com.
- ^ a b "DoublePulsar malware spreading rapidly in the wild following Shadow Brokers dump". 25 April 2017.
- ^ Sterling, Bruce. "Double Pulsar NSA leaked hacks in the wild". Wired.
- ^ a b "Seriously, Beware the 'Shadow Brokers'". Bloomberg. 4 May 2017 – via www.bloomberg.com.
- ^ "Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage".
- ^ ">10,000 Windows computers may be infected by advanced NSA backdoor". 21 April 2017.
- ^ Cameron, Dell (13 May 2017). "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It".
- ^ Fox-Brewster, Thomas. "How One Simple Trick Just Put Out That Huge Ransomware Fire". Forbes.
- ^ "Player 3 Has Entered the Game: Say Hello to 'WannaCry'". blog.talosintelligence.com. 12 May 2017. Retrieved 2017-05-15.
- ^ "Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak". arstechnica.com. 7 May 2019. Retrieved 2019-05-07.
- ^ a b "DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis". zerosum0x0.blogspot.com. 21 April 2017. Retrieved 2017-05-16.
- ^ "NSA's DoublePulsar Kernel Exploit In Use Internet-Wide". threatpost.com. 24 April 2017. Retrieved 2017-05-16.
 | This malware-related article is a stub. You can help Wikipedia by expanding it. |