The group of hackers named Shadow Brokers has recently made public a series of tools used by NSA to control computers of any user. These tools works by taking advantage of multiple vulnerabilities in Windows systems that were unknown until then. Being one of the most dangerous malware, DoublePulsar can be used to connect with any PC remotely.
DoublePulsar is a backdoor that exploited the vulnerability in the Windows SMB protocol and could allow the NSA to remotely connect with any computer in order to gather information. As soon as the vulnerability became known, Microsoft released a security patch for its operating systems (from Windows Vista to Windows 10) to prevent this vulnerability from being used again. However, the patch did not eliminate the DoublePulsar backdoor that is still present on thousands of computers worldwide.
Couple of days ago a script was published in GitHub called doublepulsar-detection-script and as the name implies it was to detect this backdoor of the NSA and to eliminate it from the computers, stopping the governmental organization to continue using it.
Remove DoublePulsar malware with doublepulsar-detection-script
The doublepulsar-detection-script tool is a script written in python that helps to detect and remove this malware from our computer easily. The script is open source and we can find everything necessary for its operation from the following link.
This tool should be run from another computer on the same network. As it is a backdoor, it’s the best way to detect and eliminate it. For this, the ideal way is to download an alternative operating system such as Kali Linux and in it everything necessary to make it work from the GitHub repository.
Once we have our Kali system (or any other, the only requirement is to have Python installed) ready with the repository we can already execute this tool. To do this from a terminal we need to execute (changing the IP by ours):
Python detect_doublepulsar_smb.py -ip 192.168.1.1
If the tool does not detect a threat in our system we have nothing to worry about. However, in case the backdoor of the NSA is on our computer the program will return a message as follows.
DOUBLEPULSAR SMB IMPLANT DETECTED !!!
In that case, the next step is to identify the threat and for that we have to type the following in the terminal.
Python detect_doublepulsar_rdp.py -file ips.list -verbose -threads 1
After a few seconds the threat will be identified then the last step is to remove DoublePulsar using the following command.
Python2 detect_doublepulsar_smb.py -ip 192.168.1.1 -uninstall
Once the backdoor has been removed our system will no longer be in control of the NSA. However we must remember to install the latest Windows security patches to solve this vulnerability and to prevent from getting infected with DoublePulsar again.