'Beautiful' NSA hacking tool DoublePulsar infects almost 200,000 Windows PCs

Security researchers' scans reveal hundreds of thousands of PCs already compromised - and infections rising by tens of thousands every day

Tools supposedly developed by the US National Security Agency (NSA) leaked early this month by the Shadow Brokers hacking group are being used in attacks on Windows PCs.

The tools, released to the open-source developer website Github, have been gratefully scooped up by malware writers of varying levels of competency and pimped via phishing emails across the internet.

And researchers at Swiss security company Binary Edge claim to have found 183,107 compromised PCs connected to the internet after conducting a scan for the DoublePulsar malware. Conducted every day over the past four days, the number of infected PCs has increased dramatically with each scan, according to Binary Edge.

DoublePulsar infections worldwide

Monday 24 April

183,107

Sunday 23 April

164,715

Saturday 22 April

116,074

Friday 21 April

106,410

_{Source: Binary Edge}

The company's scans indicate that the US, in particular, has been targeted, with almost 70,000 infections, followed by China and Hong Kong, Taiwan, Russia and the UK, where it found around 2,500 infected PCs.

Scans by other security research groups have also revealed widespread infections of PCs worldwide with the DoublePulsar malware believed to have been coded by the NSA, and released by Shadow Brokers.

Binary Edge described the malware as "beautifully designed" and suggested that it could've been used by a variety of actors, and not just the NSA.

The malware has also been analysed in detail by another group of security researchers, called Countercept.

"While there is a lot of interesting content [in the Shadow Brokers tool dump], one particular component that attracted our attention initially was the DoublePulsar payload," wrote Countercept in a research posting.

It continued: "This is because it seems to be a very stealthy kernel-mode payload that is the default payload for many exploits.

"Additionally, it can then be used to inject arbitrary DLLs into user land processes. We have also identified a potentially useful memory signature to detect whether this technique has been used on hosts that have not been rebooted since."

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.

Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.

Attendance is free to qualifying IT professionals and IT leaders - register now!