WannaCry ransomware stopped by domain kill switch

User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Royal » Sun May 14, 2017 12:32 am

Going to be looking more into this one tonight.

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Pigeon » Sun May 14, 2017 12:37 am

wer g wea

to the tune of The Lion Sleeps Tonight

User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Royal » Sun May 14, 2017 12:43 am

This is not any random domain name is it. :wink:

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Pigeon » Sun May 14, 2017 12:53 am

I would use "twoscoopsfortrump.com"

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Pigeon » Sun May 14, 2017 1:08 am

My best friend's girl friend's brother knows this guy who saw Trump at 31 flavors getting two scoops while his guests got only one. He was going to get three but realized it would delay his twitter posts.

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Pigeon » Sun May 14, 2017 1:21 am

Domain ID: 2123519849_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2017-05-12T15:08:10.00Z
Creation Date: 2017-05-12T15:08:04.00Z
Registrar Registration Expiration Date: 2018-05-12T15:08:04.00Z
Registrar: NAMECHEAP INC
Registrar IANA ID: 1068
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Reseller: NAMECHEAP INC
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: addPeriod https://icann.org/epp#addPeriod
Registry Registrant ID:
Registrant Name: Botnet Sinkhole
Registrant Organization:
Registrant Street: Botnet Sinkhole
Registrant City: Los Angeles
Registrant State/Province: CA
Registrant Postal Code: 00000
Registrant Country: US
Registrant Phone: +0.00000000000
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: BotnetSinkhole@gmail.com


User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Royal » Sun May 14, 2017 1:29 am

In a centralized botnet, sinkholing is straightforward. The discovery of a C&C (command and control) server makes it possible to redirect DNS requests for that server to a law enforcement computer or other analyzing machine. The specially configured DNS server can simply route the requests of the bots to a faked C&C server, where the requests provide information to researchers about the nature of the botnet. To establish this type of botnet sinkhole, researchers need the cooperation of the owner of the DNS used by the botnet, as well as knowledge of the botnet and its C&C server.

Since there is no C&C server in a decentralized or P2P botnet (peer-to-peer botnet), the researcher has to detect its method of picking up owner commands before any attempt can be made to block or analyze the botnet's communication.

Other methods used to effectively sinkhole botnet DDoS (distributed denial of service) traffic include locally rerouting traffic through changes via Windows updates or to a hosts file.

http://whatis.techtarget.com/definition/botnet-sinkhole


User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Pigeon » Sun May 14, 2017 1:38 am

Given the incomplete domain reg data, both this and the sinkhole.tech, I wonder about this/these people. Hey ICANN...

User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Royal » Sun May 14, 2017 1:47 am

Pigeon wrote:Given the incomplete domain reg data, both this and the sinkhole.tech, I wonder about this/these people. Hey ICANN...
Good advertising.

User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Royal » Sun May 14, 2017 8:02 pm

Was the domain name lookup necessary.

It appears the code checks for a sand box and to prevent analysis. Looks like its ingenious method was also its critical flaw.

Post Reply