WannaCry ransomware stopped by domain kill switch

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

WannaCry ransomware stopped by domain kill switch

Post by Pigeon » Sat May 13, 2017 9:55 pm

A cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and implemented a "kill switch" in the malicious software that was based on a cyber-weapon stolen from the NSA. The kill switch was hardcoded into the malware in case the creator wanted to stop it from spreading. This involved a very long nonsensical domain name that the malware makes a request to -- just as if it was looking up any website -- and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. Of course, this relies on the creator of the malware registering the specific domain. In this case, the creator failed to do this. And @malwaretechblog did early Friday morning (Pacific Time), stopping the rapid proliferation of the ransomware.

You can read their first-person account of the discovery here, which insists that registering the domain "was not a whim. My job is to look for ways we can track and potentially stop botnets..." Friday they also tweeted a map from the New York Times showing that registering that domain provided more time for U.S. sites to patch their systems. And Friday night they added "IP addresses from our [DNS] sinkhole have been sent to FBI and ShadowServer so affected organizations should get a notification soon. Patch ASAP."

UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Pigeon » Sat May 13, 2017 9:56 pm

WARNING: Antivirus sites may be helping to SPREAD the current global malware ransomware (WannaCry) attack!

It has been reported that a researcher discovered that spread of the current worldwide ransomware attack can be halted after he registered the domain:

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

and built a sinkhole website that the malware could check. Reportedly the malware does not continue spreading if it can reach this site. HOWEVER, various antivirus websites/services are now reportedly adding that domain to their “bad domain” lists! If sites infected with this malware are unable to reach that domain due to their firewalls incorporating rules from antivirus sites that include a block for that domain, the malware will likely continue spreading across their vulnerable computers (which must also still be patched to avoid infection by similar exploits). Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I’m receiving!


User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Pigeon » Sat May 13, 2017 10:03 pm

Here is the returned data for a http request to the switch domain

sinkhole.tech - where the bots party hard and the researchers harder.

User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Royal » Sat May 13, 2017 10:28 pm

this is going to be a hell of a case study.

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Pigeon » Sat May 13, 2017 10:37 pm

A control method is not uncommon but leaving it in the wild may have been an oversight.

User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Royal » Sat May 13, 2017 11:14 pm

This one?

UPDATE: Slashdot reader Lauren Weinstein says some antivirus services (and firewalls incorporating their rules) are mistakenly blocking that site as a 'bad domain', which allows the malware to continue spreading. "Your systems MUST be able to access the domain above if this malware blocking trigger is to be effective, according to the current reports that I'm receiving!"

User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Royal » Sat May 13, 2017 11:16 pm

Antimalware that allows registration for $10.


Wait a sec.

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Pigeon » Sat May 13, 2017 11:22 pm

Yep, someone saw that domain as a kill switch and registered it. But it sites block it, they undo the kill.

Domain names can be reg'ed for 10 to 15 for .coms.

User avatar
Royal
Posts: 10562
Joined: Mon Apr 11, 2011 5:55 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Royal » Sun May 14, 2017 12:08 am

Can this event be named as the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea event.

User avatar
Pigeon
Posts: 18055
Joined: Thu Mar 31, 2011 3:00 pm

Re: WannaCry ransomware stopped by domain kill switch

Post by Pigeon » Sun May 14, 2017 12:32 am

Sure

It will be shortened to iu.

Post Reply