Jump to content
ThomasMC

SMB/Exploit.DoublePulsar.B

Recommended Posts

Hi

I'm running the new package ESET Cloud and my customer's computers are infected by SMB/Exploit.DoublePulsar.B.

In the Cloud Administrator, I can see the list of detections and the proxy generated by the trojan has the blocked status but remains unresolved.

What should I do now and how ?

2020-02-19_102255.jpg

Share this post


Link to post
Share on other sites

Unfortunately nor all data is visible. The best would be if you could collect logs with ESET Log Collector from the machine in question and upload the generated archive here.

If the source IP address is not internal then it's most likely an actual attack from that IP address. Solution: make sure that your computers are fully patched and all critical Windows updates are installed. If they are behind a router or firewall, the firewall should be configured to allow only desired communication from outside.

How many machines do you have in the network?

Share this post


Link to post
Share on other sites

Hi ThomasMC,

 

Based on my experiences, the best way to solve the Double Pulsar problem to identify the source computer then intall the ESET system on it also.

The Double Pulsar scan the network and try to find further unprotected computers. This scan process cause a lot of warning messages from the right protected clients - time to time and again and again from each of them.

So, do not search the problem on your screenshot listed clients, but check the "OBJECT" column for the source IP and try to identify the unprotected computer.

 

I hope I helped.      

Share this post


Link to post
Share on other sites

It depends if the attack is coming from outside or inside the network , from outside you should look at the firewall rules that protect your machines , you should harden them up, from inside that means one of the computers are infected and trying to spread through SMB , If you don't use SMB also , it's better to remove it especially SMB 1 , as said by Microsoft.

https://techcommunity.microsoft.com/t5/storage-at-microsoft/stop-using-smb1/ba-p/425858

Send your regards from Monaco to the NSA for their malware :D
 

Quote

 

DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017.[3] The tool infected more than 200,000 Microsoft Windows computers in only a few weeks,[4][5][3][6][7] and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack.[8][9][10] A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec. [11]

Sean Dillon, senior analyst of security company RiskSense Inc., first dissected and inspected DoublePulsar.[12][13] He said that the NSA exploits are "10 times worse" than the Heartbleed security bug, and use DoublePulsar as the primary payload. DoublePulsar runs in kernel mode, which grants cybercriminals a high level of control over the computer system.[5] Once installed, it uses three commands: ping, kill, and exec, the latter of which can be used to load malware onto the system.[12]

 

Technical name

 

 

 

Edited by Nightowl

Share this post


Link to post
Share on other sites

DoublePulsar is a secondary infection on devices that are vulnerable to the EternalBlue exploit. The only real mitigation other than disabling SMBv1 protocol on all network devices is to ensure all devices have been patched via application of the Windows Update for this vulnerability:

Ref.: https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010

Do note that this update dates to 2017.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...