Hacking tools were stolen from NSA - Almost all Windows affected

Update: April 15, 2017
Late Friday night, Microsoft published a blog post stating that after an analysis of the ShadowBrokers leak, it had determined that most of the vulnerabilities were patched in a series of Windows updates released in March — updates that security researchers who analyzed the NSA tools apparently neglected to install. This means the exploits in question were not in fact “zero days” and that anyone running the most recent updates on software still supported by Microsoft is safe from the ShadowBrokers arsenal. But the timing of the patch in question is interesting: If Microsoft truly did not receive any help from the NSA, as it claims, the fact that it fixed a litany of holes vulnerable to secret NSA tools exactly a month before those tools were made public is an amazingly fortunate coincidence (curiously, Microsoft skipped the usual acknowledgements section with the patch, which typically nods to how they were informed of the threats fixed in a given update). At any rate, this is certainly good news for Windows users who keep their computers up to date, good news for Microsoft, and still very bad news for the NSA.

Leaked NSA Malware Threatens Windows Users Around the World
.

10,000 Windows computers may be infected by advanced NSA backdoor | Ars Technica

Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week's leak by the mysterious group known as Shadow Brokers.

DoublePulsar, as the NSA implant is code-named, was detected on more than 107,000 computers in one Internet scan. That scan was performed over the past few days by researchers from Binary Edge, a security firm headquartered in Switzerland. Binary Edge has more here. Separate mass scans, one done by Errata Security CEO Rob Graham and another by researchers from Below0day, detected roughly 41,000 and 30,000 infected machines, respectively. To remain stealthy, DoublePulsar doesn't write any files to the computers it infects. This design prevents it from persisting after an infected machine is rebooted. The lack of persistence may be one explanation for the widely differing results.

Not everyone is convinced the results are accurate. Even 30,000 infections sounds extremely high for an implant belonging to the NSA, a highly secretive agency that almost always prefers to abort a mission over risking it being detected. Critics speculate that a bug in a widely used detection script is generating false positives. Over the past 24 hours—as additional scans have continued to detect between 30,000 and 60,000 infections—a new theory has emerged: copycat hackers downloaded the DoublePulsar binary released by Shadow Brokers. The copycats then used it to infect unpatched Windows computers.

In a statement issued several hours after this post went live, Microsoft officials wrote: "We doubt the accuracy of the reports and are investigating." For the moment, readers should consider the results of these scans tentative and allow for the possibility that false positives are exaggerating the number of real-world infections. At the same time, people should know that there's growing consensus that from 30,000 to 107,000 Windows machines may be infected by DoublePulsar. Once hijacked, those computers may be open to other attacks.

Thanks for the update simrick.

have read about it on Softpedia today. ARS is missing this statement, which is important from my point of view...

Vulnerability patched in March
The worst thing is that the vulnerability that hackers are trying to exploit was already patched by Microsoft in March this year with MS17-010, so this means that systems that got compromised weren’t actually running this update.
The patch is aimed at systems running Windows Vista SP2 and newer, so users on Windows XP can be easily infected, with no way to deploy the patch because support is no longer provided. Everyone else needs to deploy the patch as soon as possible.

AndreTen said:

Thanks for the update simrick.

have read about it on Softpedia today. ARS is missing this statement, which is important from my point of view..

Vulnerability patched in March
The worst thing is that the vulnerability that hackers are trying to exploit was already patched by Microsoft in March this year with MS17-010, so this means that systems that got compromised weren’t actually running this update.
The patch is aimed at systems running Windows Vista SP2 and newer, so users on Windows XP can be easily infected, with no way to deploy the patch because support is no longer provided. Everyone else needs to deploy the patch as soon as possible.

Yes - very important!

its a dastardly plot by MS to make you all buy new pc's

elbmek said:

its a dastardly plot by MS to make you all buy new pc's

simrick, you think his paranoia's showing?

CWGilley said:

simrick, you think his paranoia's showing?

My paranoia is on the first Black Sabbath album.