The WannaCry kill switch wasn't inserted to make someone a hero

Posted by   Martijn Grooten on   Aug 8, 2017

Almost three months after its damaging outbreak, the WannaCry malware remains shrouded in mystery. Last week's arrest of security researcher Marcus Hutchings, better known and hereafter referred to by his online handle MalwareTech, has added yet more mystery.

With very little factual information on the case available, there is little point in speculating about whether MalwareTech was involved in the development of the Kronos banking trojan, as the FBI believes he was. As someone who knows him personally, there is even less point in me doing any speculating. But seeing as a number of people have suggested that the kill switch in WannaCry was inserted by MalwareTech himself, allegedly to make himself a hero, it seems a good idea to look at how the kill switch actually worked.

banner-wannacry-blog.jpg


When run, like just about every modern piece of malware, WannaCry makes a number of Internet connections, one of which is to the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – which at the time of the outbreak was unregistered. It is not uncommon for malware to connect to random-looking domains; often the domains to which a piece of malware connects are changed every day using a domain generation algorithm (DGA) – an algorithm known only to the malware authors (though obviously hidden deep inside the malware's code), thus making registering such a domain an easy way for them way to keep control of the malware, even if all their infrastructure has been taken down.

On seeing malware connect to an unregistered domain, it is common for researchers to register the domain themselves and point it to a server they control – a technique known as sinkholing. This gives researchers important insight into the size and geographical spread of a malware outbreak (indeed, it was used to estimate the size of WannaCry), and occasionally allows them to actually control the behaviour of the malware or botnet. I myself have done some research on botnets based entirely on sinkholing, and I'm not the only one.

Given how common this practice is, someone was always bound to register the domain queried by WannaCry; MalwareTech was just the first one to do so. What made this case somewhat unique was the fact that the domain functioned as a kill switch: the malware would stop spreading if a successful connection was made to the domain.

There are a number of theories as to why it was implemented this way. One is that this was indeed a kill switch, and was inserted by the people behind WannaCry in case its spreading got out of hand. Another is that this was a simple anti-analysis trick: in many malware sandboxes, any Internet request, whether to a registered domain or not, will give a response, thus indicating to the malware that it is being analysed.

Although I don't know the real reason either, I find neither of these explanations satisfactory, as it is common knowledge that the domain would be registered very quickly. There are much more effective ways to implement a kill switch or to check whether the malware is being run inside a system that responds to any Internet connection.

There are also much better ways to implement a kill switch that can be 'discovered' by its author, which would significantly reduce the chances of someone else discovering it. Activating WannaCry's 'kill switch' wasn't rocket science, and MalwareTech just happened to be the first one to do so. That made him an 'accidental' hero, though his previous work on sinkholing botnets is certainly worthy of credit.

It is, of course, possible for heroes to have made mistakes in the past, and we can only hope for a quick and, importantly, fair trial. But I believe that the probability of MalwareTech having been behind WannaCry is as high as it is for as you and I having been behind it, so it seems best to assume he wasn't.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.