More Shadow Brokers fallout: DoublePulsar zero-day infects scores of Windows PCs


Ten days ago, the group known as Shadow Brokers released a , apparently developed by the NSA. After an initial period of dire predictions that the Windows sky was falling, Microsoft reassured us that released back in March.

Yesterday, a report released by says that more than 5 million machines are exposed, of which 56,000 are infected by the DoublePulsar malware, although reports that Microsoft is skeptical of the numbers.

DoublePulsar gets in through a Shadow Brokers-leaked program called EternalBlue, and it works much like a backdoor, acting as a stepping stone to further exploits. At this point you should be concerned about all of the Shadow Brokers trove, but DoublePulsar has the potential to infect a lot of machines in very short order. Right now, it’s infecting Windows machines that don’t have MS17-010 installed, but are open to internet traffic through port 445.

It’s important to realize that you don’t have to do a thing in order to get infected. If you’re running Windows and haven’t installed MS17-010 and your machine can be accessed through port 445, you’re a sitting duck.

.  Type 445 in the Input box, then click User Specified Custom Port Probe. If the scan comes up Stealth or Closed, you’re not vulnerable to being infected directly from the internet.

That doesn’t give you a clean bill of health. Even if your machine is isolated from direct infection from the internet, there’s also a possibility that a subverted machine inside your network could pass its infection on to you. (Details from on the AskWoody Lounge).

Whether port 445 is open or not, you should take steps right now to get MS17-010 installed on your Windows machines. The folks at :

This is the most important patch for Windows in almost a decade, as it fixes several remote vulnerabilities for which there are now public exploits (EternalBlue, EternalRomance, and EternalSynergy). These are highly complex exploits…. [The Shadow Brokers leaked] framework essentially makes the [infection] process as easy as point and shoot.

Not sure if you’re caught up? Here’s how to check.

is wrong.)

  • If you have version 1511, you need to be on Build 105867.839 or later.
  • If you have Build 10240 (commonly called version 1507, but Microsoft didn’t figure out the naming until later), you need to be on Build 10240.17319 or later.
  • In all cases for Win10, if you aren’t up to those build numbers, you need to install the latest cumulative update. Follow to get your build number up to snuff, but don’t be tempted to install anything else at this point.

    For Win7: Right-click Start > Control Panel > Windows Update > View installed updates. You should have one of these listed:

    • KB 4012212 the March Security-Only patch
    • KB 4012215 the March Monthly Rollup Group A patch
    • KB 4015549 the April Monthly Rollup, which includes the March Monthly Rollup patch for MS17-010

    If you don’t have any of those listed, at a very minimum, you should download and install KB 4012212. Don’t worry about Group A or Group B at this point. Installing KB 4012212 will protect you without committing your system to either Group A or Group B. There’s a full description at PKCano’s , but if you only want the download links, look at this line:

    Mar 2017 KB 4012212 – Download or

    Similarly, for Win 8.1, look for these installed updates:

    • KB 4012213 the March Security-Only Group B patch
    • KB 4012216 the March Monthly Rollup Group A patch
    • KB 4015550 the April Monthly Rollup, which incorporate the March Monthly Rollup MS17-010 fixes

    If you don’t have any of those, look at PKCano’s list:

    Mar 2017 KB 4012213 – Download or

    That’s what you need to do right now, to protect yourself from the NSA’s swirling storm. Even if you don’t install Windows 7 or 8.1 patches any more or you’re having problems getting Windows 10 updated, you need to get MS17-010 on your system.


    Discussion continues on the .