DoublePulsar: Difference between revisions

Content deleted Content added

Inline

Revision as of 18:30, 21 September 2017

DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017.^[1] The tool infected more than 200,000 Microsoft Windows computers in only a few weeks,^[2]^[3]^[1]^[4]^[5] and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack.^[6]^[7]^[8]

Sean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar.^[9]^[10] He said that the NSA exploits are "10 times worse" than the Heartbleed security bug, and use DoublePulsar as the primary payload. DoublePulsar runs in kernel mode, which grants cybercriminals a high level of control over the computer system.^[3] Once installed, it uses three commands: ping, kill, and exec, the latter of which can be used to load malware onto the system.^[9]

References

^ ^a ^b "DoublePulsar malware spreading rapidly in the wild following Shadow Brokers dump". 25 April 2017.
^ Sterling, Bruce. "Double Pulsar NSA leaked hacks in the wild".
^ ^a ^b "Seriously, Beware the 'Shadow Brokers'". 4 May 2017 – via www.bloomberg.com.
^ "Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage".
^ ">10,000 Windows computers may be infected by advanced NSA backdoor".
^ Cameron, Dell. "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It".
^ Fox-Brewster, Thomas. "How One Simple Trick Just Put Out That Huge Ransomware Fire".
^ "Player 3 Has Entered the Game: Say Hello to 'WannaCry'". blog.talosintelligence.com. Retrieved 2017-05-15.
^ ^a ^b "DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis". zerosum0x0.blogspot.com. Retrieved 2017-05-16.
^ "NSA's DoublePulsar Kernel Exploit In Use Internet-Wide". threatpost.com. Retrieved 2017-05-16.

This malware-related article is a stub. You can help Wikipedia by expanding it.

[scmagazine-1] "DoublePulsar malware spreading rapidly in the wild following Shadow Brokers dump". 25 April 2017.

[2] Sterling, Bruce. "Double Pulsar NSA leaked hacks in the wild".

[usbguy-3] "Seriously, Beware the 'Shadow Brokers'". 4 May 2017 – via www.bloomberg.com.

[4] "Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage".

[5] ">10,000 Windows computers may be infected by advanced NSA backdoor".

[6] Cameron, Dell. "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It".

[7] Fox-Brewster, Thomas. "How One Simple Trick Just Put Out That Huge Ransomware Fire".

[8] "Player 3 Has Entered the Game: Say Hello to 'WannaCry'". blog.talosintelligence.com. Retrieved 2017-05-15.

[techanalysis-9] "DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis". zerosum0x0.blogspot.com. Retrieved 2017-05-16.

[10] "NSA's DoublePulsar Kernel Exploit In Use Internet-Wide". threatpost.com. Retrieved 2017-05-16.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

@@ Line 2: / Line 2: @@
 '''DoublePulsar''' is a [[backdoor (computing)|backdoor]] implant tool developed by the U.S. [[National Security Agency]]'s (NSA) [[Equation Group]] that was leaked by [[The Shadow Brokers]] in early 2017.<ref name="scmagazine"/> The tool infected more than 200,000 [[Microsoft Windows]] computers in only a few weeks,<ref>{{cite web|url=https://www.wired.com/beyond-the-beyond/2017/04/double-pulsar-nsa-leaked-hacks-wild/|title=Double Pulsar NSA leaked hacks in the wild|first=Bruce|last=Sterling|publisher=}}</ref><ref name="usbguy">{{cite web|url=https://www.bloomberg.com/news/articles/2017-05-04/seriously-beware-the-shadow-brokers|title=Seriously, Beware the ‘Shadow Brokers’|date=4 May 2017|publisher=|via=www.bloomberg.com}}</ref><ref name="scmagazine">{{cite web|url=https://www.scmagazine.com/doublepulsar-malware-spreading-rapidly-in-the-wild-following-shadow-brokers-dump/article/652518/|title=DoublePulsar malware spreading rapidly in the wild following Shadow Brokers dump|date=25 April 2017|publisher=}}</ref><ref>{{cite web|url=https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokers-is-on-a-rampage/|title=Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage|publisher=}}</ref><ref>{{cite web|url=https://arstechnica.com/security/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor/|title=>10,000 Windows computers may be infected by advanced NSA backdoor|publisher=}}</ref> and was used alongside [[EternalBlue]] in the May 2017 [[WannaCry ransomware attack]].<ref>{{cite web|url=https://www.gizmodo.com.au/2017/05/todays-massive-ransomware-attack-was-mostly-preventable-heres-how-to-avoid-it/|title=Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It|first=Dell|last=Cameron|publisher=}}</ref><ref>{{cite web|url=https://www.forbes.com/sites/thomasbrewster/2017/05/13/wannacry-ransomware-outbreak-stopped-by-researcher/#38e56ad374fc|title=How One Simple Trick Just Put Out That Huge Ransomware Fire|first=Thomas|last=Fox-Brewster|publisher=}}</ref><ref>{{cite web|url=http://blog.talosintelligence.com/2017/05/wannacry.html|title=Player 3 Has Entered the Game: Say Hello to 'WannaCry'|website=blog.talosintelligence.com|access-date=2017-05-15}}</ref>
-Sean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar.<ref name="techanalysis">{{cite web|url=https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html|title=DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis|website=zerosum0x0.blogspot.com|access-date=2017-05-16}}</ref><ref>{{cite web|url=https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/|title=NSA's DoublePulsar Kernel Exploit In Use Internet-Wide|website=threatpost.com|access-date=2017-05-16}}</ref> He said that the NSA exploits are "10 times worse" than the [[Heartbleed]] security bug, and use DoublePulsar as the primary [[payload (computing)|payload]]. DoublePulsar runs in [[kernel mode]], which grants cybercriminals a high level of control over the computer system.<ref name="usbguy"/> Once installed, it uses three commands: [[ping (networking utility)|ping]], [[exit (system call)|kill]], and [[eval|exec]], the latter of which can be used to load [[malware]] onto the system.<ref name="techanalysis"/>
+Sean Dillon, senior analyst of security company [[RiskSense Inc.]], first dissected and inspected DoublePulsar.<ref name="techanalysis">{{cite web|url=https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html|title=DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis|website=zerosum0x0.blogspot.com|access-date=2017-05-16}}</ref><ref>{{cite web|url=https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/|title=NSA's DoublePulsar Kernel Exploit In Use Internet-Wide|website=threatpost.com|access-date=2017-05-16}}</ref> He said that the NSA exploits are "10 times worse" than the [[Heartbleed]] security bug, and use DoublePulsar as the primary [[payload (computing)|payload]]. DoublePulsar runs in [[kernel mode]], which grants cybercriminals a high level of control over the computer system.<ref name="usbguy"/> Once installed, it uses three commands: [[ping (networking utility)|ping]], [[exit (system call)|kill]], and [[eval|exec]], the latter of which can be used to load [[malware]] onto the system.<ref name="techanalysis"/>
 ==References==