SMB Server DOUBLEPULSAR Backdoor / Implant Detection (EternalRocks)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

A backdoor exists on the remote Windows host.

Description :

Nessus detected the presence of DOUBLEPULSAR on the remote Windows
host. DOUBLEPULSAR is one of multiple Equation Group SMB implants and
backdoors disclosed on 2017/04/14 by a group known as the Shadow
Brokers. The implant allows an unauthenticated, remote attacker to use
SMB as a covert channel to exfiltrate data, launch remote commands, or
execute arbitrary code.

EternalRocks is a worm that propagates by utilizing DOUBLEPULSAR.

See also :

http://www.nessus.org/u?43ec89df
https://github.com/countercept/doublepulsar-detection-script
https://github.com/stamparm/EternalRocks/

Solution :

Remove the DOUBLEPULSAR backdoor / implant and disable SMBv1.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 99439 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now