The WannaCry kill switch wasn't inserted to make someone a hero

Posted by   Martijn Grooten on   Aug 8, 2017

Almost three months after its damaging outbreak, the WannaCry malware remains shrouded in mystery. Last week's arrest of security researcher Marcus Hutchings, better known and hereafter referred to by his online handle MalwareTech, has added yet more mystery.

With very little factual information on the case available, there is little point in speculating about whether MalwareTech was involved in the development of the Kronos banking trojan, as the FBI believes he was. As someone who knows him personally, there is even less point in me doing any speculating. But seeing as a number of people have suggested that the kill switch in WannaCry was inserted by MalwareTech himself, allegedly to make himself a hero, it seems a good idea to look at how the kill switch actually worked.

banner-wannacry-blog.jpg


When run, like just about every modern piece of malware, WannaCry makes a number of Internet connections, one of which is to the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – which at the time of the outbreak was unregistered. It is not uncommon for malware to connect to random-looking domains; often the domains to which a piece of malware connects are changed every day using a domain generation algorithm (DGA) – an algorithm known only to the malware authors (though obviously hidden deep inside the malware's code), thus making registering such a domain an easy way for them way to keep control of the malware, even if all their infrastructure has been taken down.

On seeing malware connect to an unregistered domain, it is common for researchers to register the domain themselves and point it to a server they control – a technique known as sinkholing. This gives researchers important insight into the size and geographical spread of a malware outbreak (indeed, it was used to estimate the size of WannaCry), and occasionally allows them to actually control the behaviour of the malware or botnet. I myself have done some research on botnets based entirely on sinkholing, and I'm not the only one.

Given how common this practice is, someone was always bound to register the domain queried by WannaCry; MalwareTech was just the first one to do so. What made this case somewhat unique was the fact that the domain functioned as a kill switch: the malware would stop spreading if a successful connection was made to the domain.

There are a number of theories as to why it was implemented this way. One is that this was indeed a kill switch, and was inserted by the people behind WannaCry in case its spreading got out of hand. Another is that this was a simple anti-analysis trick: in many malware sandboxes, any Internet request, whether to a registered domain or not, will give a response, thus indicating to the malware that it is being analysed.

Although I don't know the real reason either, I find neither of these explanations satisfactory, as it is common knowledge that the domain would be registered very quickly. There are much more effective ways to implement a kill switch or to check whether the malware is being run inside a system that responds to any Internet connection.

There are also much better ways to implement a kill switch that can be 'discovered' by its author, which would significantly reduce the chances of someone else discovering it. Activating WannaCry's 'kill switch' wasn't rocket science, and MalwareTech just happened to be the first one to do so. That made him an 'accidental' hero, though his previous work on sinkholing botnets is certainly worthy of credit.

It is, of course, possible for heroes to have made mistakes in the past, and we can only hope for a quick and, importantly, fair trial. But I believe that the probability of MalwareTech having been behind WannaCry is as high as it is for as you and I having been behind it, so it seems best to assume he wasn't.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 conference programme announced

VB is excited to reveal the details of an interesting and diverse programme for VB2019, the 29th Virus Bulletin International Conference, which takes place 2-4 October in London, UK.

VB2018 paper: Under the hood - the automotive challenge

Car hacking has become a hot subject in recent years, and at VB2018 in Montreal, Argus Cyber Security's Inbar Raz presented a paper that provides an introduction to the subject, looking at the complex problem, examples of car hacks, and the…

VB2018 paper and video: Android app deobfuscation using static-dynamic cooperation

Static analysis and dynamic analysis each have their shortcomings as methods for analysing potentially malicious files. Today, we publish a VB2018 paper by Check Point researchers Yoni Moses and Yaniv Mordekhay, in which they describe a method that…

VB2019 call for papers closes this weekend

The call for papers for VB2019 closes on 17 March, and while we've already received many great submissions, we still want more!

Registration open for VB2019 ─ book your ticket now!

Registration for VB2019, the 29th Virus Bulletin International Conference, is now open, with an early bird rate available until 1 July.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.