Leaked NSA backdoor spreads throughout the world

Malicious code leaked by the Shadow Brokers that is believed to come from a hacking group linked to the NSA has been found in tens of thousands of systems worldwide.

The code, DOUBLEPULSAR, is installed using the EXTERNALBLUE exploit developed by the NSA-linked Equation Group.

It works against Microsoft's Server Message Block (SMB) file sharing protocol version 1, which is found in older versions of Windows such as XP and Server 2008 R2.

DOUBLEPULSAR functions as a backdoor into compromised systems and allows attackers to inject dynamic link library (DLL) binary files of their choice into vulnerable hosts.

While Microsoft has issued a patch for ETERNALBLUE and other SMB v1 vulnerabilities, attackers appear to have found  and infected thousands of systems that have not been updated and which expose the file sharing protocol to the internet.

Chief executivce of security vendor Phobos Group, Dan Tentler, is running a scan using a Metasploit module with detection for DOUBLEPULSAR.

After scanning close to 1.5 million hosts for almost 80 hours, Tentler told iTnews he had found over 42,000 infected systems. He noted that the infection rate on continued scanning stayed at around 2.85 percent.

Based on that infection rate, Tentler extrapolated that of the more than five million hosts to scan, around 140,000 would be infected.

He said the infection appears to be climbing towards three percent.

Security vendor BinaryEdge is running its own scan and arrived at an even higher figure of more than 160,000 DOUBLEPULSAR infected systems.

DOUBLEPULSAR infections are found worldwide, security vendor Below0Day noted.