The WannaCry kill switch wasn't inserted to make someone a hero

Posted by   Martijn Grooten on   Aug 8, 2017

Almost three months after its damaging outbreak, the WannaCry malware remains shrouded in mystery. Last week's arrest of security researcher Marcus Hutchings, better known and hereafter referred to by his online handle MalwareTech, has added yet more mystery.

With very little factual information on the case available, there is little point in speculating about whether MalwareTech was involved in the development of the Kronos banking trojan, as the FBI believes he was. As someone who knows him personally, there is even less point in me doing any speculating. But seeing as a number of people have suggested that the kill switch in WannaCry was inserted by MalwareTech himself, allegedly to make himself a hero, it seems a good idea to look at how the kill switch actually worked.

banner-wannacry-blog.jpg


When run, like just about every modern piece of malware, WannaCry makes a number of Internet connections, one of which is to the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – which at the time of the outbreak was unregistered. It is not uncommon for malware to connect to random-looking domains; often the domains to which a piece of malware connects are changed every day using a domain generation algorithm (DGA) – an algorithm known only to the malware authors (though obviously hidden deep inside the malware's code), thus making registering such a domain an easy way for them way to keep control of the malware, even if all their infrastructure has been taken down.

On seeing malware connect to an unregistered domain, it is common for researchers to register the domain themselves and point it to a server they control – a technique known as sinkholing. This gives researchers important insight into the size and geographical spread of a malware outbreak (indeed, it was used to estimate the size of WannaCry), and occasionally allows them to actually control the behaviour of the malware or botnet. I myself have done some research on botnets based entirely on sinkholing, and I'm not the only one.

Given how common this practice is, someone was always bound to register the domain queried by WannaCry; MalwareTech was just the first one to do so. What made this case somewhat unique was the fact that the domain functioned as a kill switch: the malware would stop spreading if a successful connection was made to the domain.

There are a number of theories as to why it was implemented this way. One is that this was indeed a kill switch, and was inserted by the people behind WannaCry in case its spreading got out of hand. Another is that this was a simple anti-analysis trick: in many malware sandboxes, any Internet request, whether to a registered domain or not, will give a response, thus indicating to the malware that it is being analysed.

Although I don't know the real reason either, I find neither of these explanations satisfactory, as it is common knowledge that the domain would be registered very quickly. There are much more effective ways to implement a kill switch or to check whether the malware is being run inside a system that responds to any Internet connection.

There are also much better ways to implement a kill switch that can be 'discovered' by its author, which would significantly reduce the chances of someone else discovering it. Activating WannaCry's 'kill switch' wasn't rocket science, and MalwareTech just happened to be the first one to do so. That made him an 'accidental' hero, though his previous work on sinkholing botnets is certainly worthy of credit.

It is, of course, possible for heroes to have made mistakes in the past, and we can only hope for a quick and, importantly, fair trial. But I believe that the probability of MalwareTech having been behind WannaCry is as high as it is for as you and I having been behind it, so it seems best to assume he wasn't.

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Test your technical and mental limits in the VB2017 foosball tournament

As has become tradition, VB2017 will once again see a security industry table football tournament. Register your team now for some great fun and adrenaline-filled matches in between sessions in Madrid!

The case against running Windows XP is more subtle than we think it is

Greater Manchester Police is one of many organizations still running Windows XP on some of its systems. This is bad practice, but the case against running XP is far more subtle than we often pretend it is.

Hot FinSpy research completes VB2017 programme

Researchers from ESET have found a new way in which the FinSpy/FinFisher 'government spyware' can infect users, details of which they will present at VB2017 in Madrid.

Transparency is essential when monitoring your users' activities

Activity monitoring by security products in general, and HTTPS traffic inspection in particular, are sensitive issues in the security community. There is a time and a place for them, VB's Martijn Grooten argues, but only when they are done right.

VB2017 preview: Android reverse engineering tools: not the usual suspects

We preview the VB2017 paper by Fortinet researcher Axelle Apvrille, in which she looks at some less obvious tools for reverse engineering Android malware.