A few NSA tools were released by the shadowbrokers again last week.

In this toolkit an implant was present called doublepulsar. We're not gonna write much about doublepulsar as an excellent article has already been written about it by the countercept guys.

We decided to scan for this implant worldwide. To understand how we do this first we need to give a step back and explain how our platform works briefly.
If you only care about the numbers and not about the methodology, skip to the "doublepulsar numbers" section

Arstechnica has written an article about this you can read it here:

Platform and scanning

In a very simple manner, we have over 100 agents spread worldwide that can receive orders and have on them specific pieces of software that they can run.

These pieces of software is what we call modules. You can read mode about the modules we currently have here.

A module is essentially anything that can take as input a list of IP addresses and output data in json format. What this allows us is to deploy things pretty easily and use it on our scanning platform.

For the case of doublepulsar, we noticed a detection script had been released as seen on:

So to test for doublepulsar worldwide, all we had to was:

1 - modify the script to receive IP list
2 - modify the output to json format
3 - commit it to our internal module repo
4 - it automatically gets delivered to our scanning agents and then we just need to run a job request that looks a little something like this:

curl -Ns -L -d '{"type":"scan", "options":[{"worldscan": true, "ports":[{"port":445, "protocol":"tcp", "modules": ["doublepulsar"]}]}]}' -v -H 'X-Token: AUTH-TOKEN_GOES-HERE'

and automatically our platform will go check which agents are available and distribute the work amongst all of them and we start to see the data come in, in realtime.
Having a distributed platform means we don't hit same ranges and IPs sequentially. On our tests from beginning, this was the best format to reduce abuse requests and increase the quality of our findings.
We have also done a lot of optimizations in the way the IPs are distributed based on routing and geolocation to also optimize data quality.

Doublepulsar numbers

So after the scan finishes we get something like this:

[email protected]:/home/balgan/c66a7e8c-337a-481f-aa7a-ee0e5cef19fc# ls 17-04-21.1492778253847 17-04-21.1492781098147 17-04-21.1492782928113 17-04-21.1492784751733 17-04-21.1492786576105 17-04-21.1492788396078 17-04-21.1492790219796 17-04-21.1492792042367

inside each of these files is the data results. What our platform did for doublepulsar was:

1 - scan worldwide who has the port 445 open
2 - create a subset
3 - throw the detection script for double pulsar at that subset.

The final numbers we found for Doublepulsar are the following:

Total cumulative number of infections:

  • 106,410 - 21/04/2017
  • 116,074 - 22/04/2017
  • 164,715 - 23/04/2017
  • 183,107 - 24/04/2017
  • 243,894 - 25/07/2017
  • 344,881 - 26/04/2017
  • 428,827 - 27/04/2017 In more detail
The worldwide distribution looks as follows:
The top 10 of most infected countries looks like this:


Q - Am I infected by this?

A - Visit - If you need more information or would like to do mass testing across your organization please contact us on [email protected] we work with companies around the world that use us to monitor their perimeters.

Q - Does this mean the NSA infected 106,410 machines?

A - Probably not, this has been released for a while, the implant is beautifully designed and could have been used by other actors.

Q - Is your number right?

A - Multiple professionals have checked the detection script and agree it is well written and working well. We merely do the scanning and show the data of responses to that script.

Q - Should I panic?

A - Like any other infosec subject, panic doesnt help. Talk with the person responsible for security at your organizations.