Jump to content

SMB/Exploit.DoublePulsar.B


ThomasMC
 Share

Recommended Posts

Hi

I'm running the new package ESET Cloud and my customer's computers are infected by SMB/Exploit.DoublePulsar.B.

In the Cloud Administrator, I can see the list of detections and the proxy generated by the trojan has the blocked status but remains unresolved.

What should I do now and how ?

2020-02-19_102255.jpg

Link to comment
Share on other sites

  • Administrators

Unfortunately nor all data is visible. The best would be if you could collect logs with ESET Log Collector from the machine in question and upload the generated archive here.

If the source IP address is not internal then it's most likely an actual attack from that IP address. Solution: make sure that your computers are fully patched and all critical Windows updates are installed. If they are behind a router or firewall, the firewall should be configured to allow only desired communication from outside.

How many machines do you have in the network?

Link to comment
Share on other sites

Hi ThomasMC,

 

Based on my experiences, the best way to solve the Double Pulsar problem to identify the source computer then intall the ESET system on it also.

The Double Pulsar scan the network and try to find further unprotected computers. This scan process cause a lot of warning messages from the right protected clients - time to time and again and again from each of them.

So, do not search the problem on your screenshot listed clients, but check the "OBJECT" column for the source IP and try to identify the unprotected computer.

 

I hope I helped.      

Link to comment
Share on other sites

  • Most Valued Members

It depends if the attack is coming from outside or inside the network , from outside you should look at the firewall rules that protect your machines , you should harden them up, from inside that means one of the computers are infected and trying to spread through SMB , If you don't use SMB also , it's better to remove it especially SMB 1 , as said by Microsoft.

https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858

Send your regards from Monaco to the NSA for their malware :D
 

Quote

 

DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017.[3] The tool infected more than 200,000 Microsoft Windows computers in only a few weeks,[4][5][3][6][7] and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack.[8][9][10] A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec. [11]

Sean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar.[12][13] He said that the NSA exploits are "10 times worse" than the Heartbleed security bug, and use DoublePulsar as the primary payload. DoublePulsar runs in kernel mode, which grants cybercriminals a high level of control over the computer system.[5] Once installed, it uses three commands: ping, kill, and exec, the latter of which can be used to load malware onto the system.[12]

 

Technical name

 

 

 

Edited by Nightowl
Link to comment
Share on other sites

DoublePulsar is a secondary infection on devices that are vulnerable to the EternalBlue exploit. The only real mitigation other than disabling SMBv1 protocol on all network devices is to ensure all devices have been patched via application of the Windows Update for this vulnerability:

Ref.: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010

Do note that this update dates to 2017.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...