The WannaCry kill switch wasn't inserted to make someone a hero

Posted by   Martijn Grooten on   Aug 8, 2017

Almost three months after its damaging outbreak, the WannaCry malware remains shrouded in mystery. Last week's arrest of security researcher Marcus Hutchings, better known and hereafter referred to by his online handle MalwareTech, has added yet more mystery.

With very little factual information on the case available, there is little point in speculating about whether MalwareTech was involved in the development of the Kronos banking trojan, as the FBI believes he was. As someone who knows him personally, there is even less point in me doing any speculating. But seeing as a number of people have suggested that the kill switch in WannaCry was inserted by MalwareTech himself, allegedly to make himself a hero, it seems a good idea to look at how the kill switch actually worked.

banner-wannacry-blog.jpg


When run, like just about every modern piece of malware, WannaCry makes a number of Internet connections, one of which is to the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – which at the time of the outbreak was unregistered. It is not uncommon for malware to connect to random-looking domains; often the domains to which a piece of malware connects are changed every day using a domain generation algorithm (DGA) – an algorithm known only to the malware authors (though obviously hidden deep inside the malware's code), thus making registering such a domain an easy way for them way to keep control of the malware, even if all their infrastructure has been taken down.

On seeing malware connect to an unregistered domain, it is common for researchers to register the domain themselves and point it to a server they control – a technique known as sinkholing. This gives researchers important insight into the size and geographical spread of a malware outbreak (indeed, it was used to estimate the size of WannaCry), and occasionally allows them to actually control the behaviour of the malware or botnet. I myself have done some research on botnets based entirely on sinkholing, and I'm not the only one.

Given how common this practice is, someone was always bound to register the domain queried by WannaCry; MalwareTech was just the first one to do so. What made this case somewhat unique was the fact that the domain functioned as a kill switch: the malware would stop spreading if a successful connection was made to the domain.

There are a number of theories as to why it was implemented this way. One is that this was indeed a kill switch, and was inserted by the people behind WannaCry in case its spreading got out of hand. Another is that this was a simple anti-analysis trick: in many malware sandboxes, any Internet request, whether to a registered domain or not, will give a response, thus indicating to the malware that it is being analysed.

Although I don't know the real reason either, I find neither of these explanations satisfactory, as it is common knowledge that the domain would be registered very quickly. There are much more effective ways to implement a kill switch or to check whether the malware is being run inside a system that responds to any Internet connection.

There are also much better ways to implement a kill switch that can be 'discovered' by its author, which would significantly reduce the chances of someone else discovering it. Activating WannaCry's 'kill switch' wasn't rocket science, and MalwareTech just happened to be the first one to do so. That made him an 'accidental' hero, though his previous work on sinkholing botnets is certainly worthy of credit.

It is, of course, possible for heroes to have made mistakes in the past, and we can only hope for a quick and, importantly, fair trial. But I believe that the probability of MalwareTech having been behind WannaCry is as high as it is for as you and I having been behind it, so it seems best to assume he wasn't.

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

VB2017 paper: Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

We publish the VB2017 paper and video by Kaspersky Lab researchers Juan Andres Guerrero-Saade and Costin Raiu, in which they look at fourth-party collection (spies spying on other spies' campaigns) and its implications for attribution.

Didn't come to VB2017? Tell us why!

Virus Bulletin is a company - and a conference - with a mission: to further the research in and facilitate the fight against digital threats. To help us in this mission, we want to hear from those who didn't come to Madrid. What is your impression of…

Montreal will host VB2018

Last week, we announced the full details of VB2018, which will take place 3-5 October 2018 at the Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada.

VB2017 preview: Beyond lexical and PDNS (guest blog)

In a special guest blog post, VB2017 Silver sponsor Cisco Umbrella writes about a paper that researchers Dhia Mahjoub and David Rodriguez will present at the conference this Friday.

Avast to present technical details of CCleaner hack at VB2017

The recently discovered malicious CCleaner version has become one of the biggest security stories of 2017. Two researchers from Avast, the company that had recently acquired CCleaner developer Piriform, will share the results of their investigations…