msm1267 quotes a report from Threatpost: A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power to the Conficker bug, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for years to come. MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish. "This is a full ring0 payload that gives you full control over the system and you can do what you want to it," said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday. "This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it's still found in a lot of places," Dillon said. "I find it everywhere. This is the most critical Windows patch since that vulnerability." Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he's running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue. "This is easily describable as a bloodbath," Tentler said.
company, and I think all of our Internet-facing Windows servers have been compromised. We do everything we can, but there's still processes that use tons of bandwidth with outgoing traffic that we can't stop.
Why do you have Windows hosts on the public-facing Internet??? WHY WOULD YOU DO THAT PROFOUNDLY STUPID THING?!???!?
Excuse me, but you could put a 35 dollar raspberry pi as an inline firewall and essentially block the outgoing incoming traffic.
One reason and one reason only: It is cheaper. Well, it is cheaper in the short run. That is all management focused on the year's end bonus if often caring about. I see it all the time. But even used internally, Windows "servers" are a constant problem, they never can compete to UNIX on maintenance cost, flexibility and reliability and performance. Sure, they are cheaper initially, but you pay for that for a long, long time. It becomes grossly obvious when you have global changes, and the windows servers ar
Jut claim NSA did it and you've been forbidden to elaborate.
And you can expect to find it used in the wild in about a few seconds next...
(At least, luckily it got discovered though public channels : It got published by shadowbrocker and got analysed by experts.
So at least our sysadmin have heard about it.
Security solutions vendor will try to get ways to detect and neutralize it.
Imagine if instead it was discovered by a few blackhats who reverse engineered a sample, and decided to incorporate the technology into their exploits, without the information ever reaching the security community.)
I guess it's a difference of philosophy. I want my computing to be as secure as possible. The NSA wants to hack anyone's system at anytime.
My philosophy is comment sense, the NSA's is pure evil considering it lessens my security.
I would point out that there's a pretty subtle difference between the programmers and engineers that come up with this stuff, and the PHBs that tell them what to do.
When you're using these tools to "fight evil", you're doing good work. When you've been fooled by someone into thinking that you're fighting evil when you're really doing nothing but ensuring slavery and starvation will continue in several third world countries for the next two generations, you're still doing good work, but the PHB that gave you the orders is doing evil work.
Ah, a "just doing my job" apologist...
Indeed. Same thing the KZ guards and those sending people there (often regular police) claimed.
Evil on a large scale (and the NSA qualifies) cannot being done without large numbers of those willing helpers. They are the actual problem.
I do not see that difference. Engineers and coders that decided to work for the NSA are leaving their morality at the door when they come to work. They knew what the NSA was doing or they know now and have decided to stay. They are just as guilty as the ones taking the decisions.
They would immediately tell Intel, Microsoft, and Mr Torvalds exactly what flaws they are exploiting so they could be closed. Instead, being the evil assholes they are, they won't tell anyone. Cuz we all know the NSA is smarter than the Chinese, Russians, and random hacker groups who exploit the same holes.
I guess it's a difference of philosophy. I want my computing to be as secure as possible. The NSA wants to hack anyone's system at anytime.
My philosophy is comment sense, the NSA's is pure evil considering it lessens my security.
Wrong. The government is ordering to put the flaw in!! If Snowden is correct under the American Patriot Act they can arrest those who do not comply making their products with backdoors so the government doesn't have to get a court order.
To me that is pure evil. You think Apple and Android LOVE putting in hidden apps that secret turn your phones into recording devices that send the GPS and conversations wihtout you knowing while appearing off?
https://www.youtube.com/watch?... [youtube.com]
I think it's about time for the Butlerian Jihad
;-)
Seriously, every new technology just gives greed and hate more power. There seems to be nothing anyone can do about it, which baffles me. Why can't they catch ransomware assholes and throw them into jail for a long long time? They can do anything else but catch the bad guys. WTF - must be no MONEY in it. MONEY MONEY MONEY. That's the only arbiter of anything in our broken 'culture'.
International standards. Banking and payments, mil, police cooperation, educational grants and charity.
Get a free US computer system with working crypto for a nation that can link to the world.
If a nation wanted to network it would have to accept some US backed crypto, software, crypto and OS.
Cost could be kept very low or products offered as part of deals, charity work.
> What do we use to scan for this exploit being present on our servers and networks?
1- Go to each server, and run:
2- uname -r
If you get a result that displays a valid kernel, you are safe. If you are infected, it will say:
'uname' is not recognized as an internal or external command, operable program or batch file.
3- If you are infected, you can follow the cleaning steps here:
http://www.tecmint.com/fedora-... [tecmint.com]
I get 4.4.0-43-Microsoft on Windows 10 Creators Update
:-p
I would mod this "Funny", but I have already commented. Sorry
;-)
Be unexpected and random with different AV products.
Someone will have just the right kind of behaviour software update that might find something.
Try the new tools some security experts are now offering to help with todays issues.
A first-pass screening test is to see if TCP port 445 is open. Most hosts will have 445 blocked by the firewall, thereby providing a degree of protection for the vulnerable SMB.
If 445 is open, that does not mean the host is compromised, but it is likely to vulnerable. This Metasploit module is one check that can be run:
https://github.com/rapid7/meta... [github.com]
More information can be found on the Alert Logic blog and our various teams will continue to post there and elsewhere as more information is made available.
ht [alertlogic.com]
We've been asking for this ever since Windows 10 was released. Someone should develop and release an adaptation for regular users who want to take control of their own computers back.
Who the hell is still using operating system software that hasn't been patched since October 2008? And even then, only one of the affected operating systems (Windows Server 2008) is still receiving security updates. If there are public-facing Windows 2000, Windows XP, and Windows Server 2003 machines still in the wild, I'd go so far as to say those companies deserve to be compromised.