[Tutorial] Check your PC if NSA infected you (Doublepulsar)

Discussion in 'Chit Chat' started by CHEF-KOCH, Apr 26, 2017.

  1. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    937
    884
    30
    #1 CHEF-KOCH, Apr 26, 2017
    Last edited: Apr 26, 2017
    Hello in this tutorial I want to show you guys how to check your PC against the DoublePulsar infection. MS already released one KB which prevents the PC from a new infection but it not checks if you're already infected - this is now where this tutorial can kick-in.

    Requirements
    :
    • Python (does not work with 3.x you need 2.7)
    • Scripts
    • Windows 10 (Win 8 and lower aren't tested), see this and this.

    Step by Step:
    • After you download Python install it in e.g. c:\.
    • Download the script (on GitHub -> right corner 'download zip' file) and extract it to e.g. c:\. To make it a little bit easier for people which aren't familiar with cmd/powershell just copy and past the 'detect_doublepulsar_rdp.py' and detect_doublepulsar_smb.py into the phython dir.
    • Now open the powershell in the dir e.g. PS C:\Python27/> ... when you not like to work with powershell just type in cmd in the powershell window and you can work not in cmd.
    [​IMG]
    [​IMG]

    Code:
    c:\python27> python.exe detect_doublepulsar_smb.py --ip 192.168.111.8 
    This is what we call, the IP is our target we want to scan, your own PC. When you're not infected you get something like this as return.

    Code:
    [ - ] [192.168.111.8] No presence of DOUBLEPULSAR SMB implant. 
    When you're infect you see DETECTED.

    Code:
    [+] [192.168.111.8] DOUBLEPULSAR SMB IMPLANT DETECTED!!!
    In this case you can reinstall your OS. Theoretically you still could try to close the ports and remove leftovers - the script also comes with an basic uninstall function. But you should consider to reinstall the OS since you could be a target already.

    Difference between the two scripts?

    SMB is for Server Message Block (port 445) [most people need this to check their PC] and RDP is for Remote Desktop Protocol (Port 3389) -> use this script in case if you're on a server.
     
  2. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    5,857
    13,402
    180
    On Win 8.1

    doublepulsar.png

    grrrrr... :mad: :p
     
  3. CHEF-KOCH

    CHEF-KOCH MDL Addicted

    Jan 7, 2008
    937
    884
    30
    #3 CHEF-KOCH, Apr 26, 2017
    Last edited: Apr 26, 2017
    (OP)
    Already reported. The script got yesterday a remote uninstall function, I corrected OP to mention this.