SMB/Exploit.DoublePulsar.B

[ThomasMC 0]

Hi

I'm running the new package ESET Cloud and my customer's computers are infected by SMB/Exploit.DoublePulsar.B.

In the Cloud Administrator, I can see the list of detections and the proxy generated by the trojan has the blocked status but remains unresolved.

What should I do now and how ?

[Marcos 4,935]

Unfortunately nor all data is visible. The best would be if you could collect logs with ESET Log Collector from the machine in question and upload the generated archive here.

If the source IP address is not internal then it's most likely an actual attack from that IP address. Solution: make sure that your computers are fully patched and all critical Windows updates are installed. If they are behind a router or firewall, the firewall should be configured to allow only desired communication from outside.

How many machines do you have in the network?

[Zoltan Endresz 5]

Hi ThomasMC,

 

Based on my experiences, the best way to solve the Double Pulsar problem to identify the source computer then intall the ESET system on it also.

The Double Pulsar scan the network and try to find further unprotected computers. This scan process cause a lot of warning messages from the right protected clients - time to time and again and again from each of them.

So, do not search the problem on your screenshot listed clients, but check the "OBJECT" column for the source IP and try to identify the unprotected computer.

 

I hope I helped.      

[Nightowl 198]

It depends if the attack is coming from outside or inside the network , from outside you should look at the firewall rules that protect your machines , you should harden them up, from inside that means one of the computers are infected and trying to spread through SMB , If you don't use SMB also , it's better to remove it especially SMB 1 , as said by Microsoft.

https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858

Send your regards from Monaco to the NSA for their malware
 

Quote

 

DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017.^[3] The tool infected more than 200,000 Microsoft Windows computers in only a few weeks,^{[4][5][3][6][7]} and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack.^[8][9][10] A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec. ^[11]

Sean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar.^[12][13] He said that the NSA exploits are "10 times worse" than the Heartbleed security bug, and use DoublePulsar as the primary payload. DoublePulsar runs in kernel mode, which grants cybercriminals a high level of control over the computer system.^[5] Once installed, it uses three commands: ping, kill, and exec, the latter of which can be used to load malware onto the system.^[12]

 

Technical name	Double Variant Trojan:Win32/DoublePulsar (Microsoft) Backdoor.DoublePulsar (Fortiguard) Dark Variant Trojan.Darkpulsar (Symantec)[1] Win32/Equation.DarkPulsar (ESET)[2]

 

 

 

Edited February 26, 2020 by Nightowl

[itman 1,630]

DoublePulsar is a secondary infection on devices that are vulnerable to the EternalBlue exploit. The only real mitigation other than disabling SMBv1 protocol on all network devices is to ensure all devices have been patched via application of the Windows Update for this vulnerability:

Ref.: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010

Do note that this update dates to 2017.