Enlarge / A script scanning the Internet for computers infected by DoublePulsar. On the left, a list of IPs Shodan detected having the backdoor installed. On the right are pings used to manually check if a machine is infected. (credit: Dan Tentler)
Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week's leak by the mysterious group known as Shadow Brokers.
DoublePulsar, as the NSA implant is code-named, was detected on more than 107,000 computers in one Internet scan. That scan was performed over the past few days by researchers from Binary Edge, a security firm headquartered in Switzerland. Separate mass scans, one done by Errata Security CEO Rob Graham and another by researchers from Below0day, detected roughly 41,000 and 30,000 infected machines, respectively. To remain stealthy, DoublePulsar doesn't write any files to the computers it infects. This design prevents it from persisting after an infected machine is rebooted. The lack of persistence may be one explanation for the widely differing results.
Below0day
Read 5 remaining paragraphs | Comments
Article Link: https://arstechnica.com/security/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor/