- Aug 31, 2014
- 655
WanaCry has apparently been stopped by a Security Reasearcher known as MalwareTech who noticed an unregistered domain which he then registered, thus 'stopping it in it's tracks'.
Finding the kill switch to stop the spread of ransomware - NCSC Site
All this code is doing is attempting to connect to the domain we registered and if the connection is not successful it ransoms the system, if it is successful the malware exits. The reason was suggested to be a kill switch in case something goes wrong, but I now believe it to be anti-analysis.
In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox, rather than the real IP address the URL points to; a side effect of this is if an unregistered domain is queried it will respond as if it were registered.
I believe they were trying to query an unregistered domain which would appear registered in certain sandbox environments, then once they are aware they're in a sandbox the malware can exit to prevent analysis. This technique isn't unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because they used a hardcoded domain, registering it caused all infections globally to believe they were inside a sandbox and exit...thus we initially unintentionally prevented the spread and further ransoming of computers infected with this malware.
One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it's incredibly important that any unpatched systems are patched as quickly as possible. You can now even get a patch for XP.
Finding the kill switch to stop the spread of ransomware - NCSC Site
All this code is doing is attempting to connect to the domain we registered and if the connection is not successful it ransoms the system, if it is successful the malware exits. The reason was suggested to be a kill switch in case something goes wrong, but I now believe it to be anti-analysis.
In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox, rather than the real IP address the URL points to; a side effect of this is if an unregistered domain is queried it will respond as if it were registered.
I believe they were trying to query an unregistered domain which would appear registered in certain sandbox environments, then once they are aware they're in a sandbox the malware can exit to prevent analysis. This technique isn't unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because they used a hardcoded domain, registering it caused all infections globally to believe they were inside a sandbox and exit...thus we initially unintentionally prevented the spread and further ransoming of computers infected with this malware.
One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it's incredibly important that any unpatched systems are patched as quickly as possible. You can now even get a patch for XP.
Last edited:
