On late Friday afternoon, Microsoft officials issued a one-sentence statement saying that they doubted the accuracy of multiple Internet-wide scans that found anywhere from 30,000 to slightly more than 100,000 infected machines. The statement didn't provide any factual basis for the doubt, and officials have yet to respond on the record to requests on Tuesday for an update. Over the weekend, Below0day released the results of a scan that detected 56,586 infected Windows boxes, an 85-percent jump in the 30,626 infections the security firm found three days earlier.
Both numbers are in the conservative end of widely ranging results from scans independently carried out by other researchers over the past week. On Monday, Rendition Infosec published a blog post saying DoublePulsar infections were on the rise and that company researchers are confident the scan results accurately reflect real-world conditions. Rendition founder Jake Williams told Ars that the number of infected machines is "well over 120k, but that number is a floor."
On Tuesday, security firm Countercept released an update to the DoublePulsar detection script it published last week. It now allows people anywhere on the Internet to remotely uninstall the implant from any infected machine. Researcher Kevin Beaumont told Ars that detecting DoublePulsar involves sending a series of SMB?short for server message block?queries to Internet-facing computers. By modifying two bytes of the query, the same person can remove the infection from any computers that test positive. The script isn't the only way to clean compromised devices. As Ars reported last week, the ultra-stealthy DoublePulsar writes no files to the hard drives of computers it infects, a feature that causes it to be removed as soon as the computer restarts.
Reply With Quote
Bookmarks