WannaCry Ransomware Foiled By Domain Killswitch

Use Netsparker

Whilst I was away on a tropical island enjoying myself the Infosec Internet was on fire with news of the global WannaCry ransomware threat which showed up in the UK NHS and was spreading across 74 different countries.

WannaCry Ransomware Foiled By Domain Killswitch

The Ransomware seems to be the first that is P2P using an SMB exploit from the NSA Leak just last month.

The WannaCrypt ransomware worm, aka WanaCrypt or Wcry, today exploded across 74 countries, infecting hospitals, businesses including Fedex, rail stations, universities, at least one national telco, and more organizations.

In response, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, such as XP and Server 2003, as well as modern builds.

To recap, WannaCrypt is installed on vulnerable Windows computers by a worm that spreads across networks by exploiting a vulnerability in Microsoft’s SMB file-sharing services. It specifically abuses a bug designated MS17-010 that Redmond patched in March for modern versions of Windows, and today for legacy versions – all remaining unpatched systems are therefore vulnerable and can be attacked.

This bug was, once upon a time, exploited by the NSA to hijack and spy on its targets. Its internal tool to do this, codenamed Eternalblue, was stolen from the agency, and leaked online in April – putting this US government cyber-weapon into the hands of any willing miscreant. Almost immediately, it was used to hijack thousands of machines on the internet.

Now someone has taken that tool and strapped it to ransomware: the result is a variant of WannaCrypt, which spreads via SMB and, after landing on a computer, encrypts as many files as it can find. It charges $300 or $600 in Bitcoin to restore the documents. It is adept at bringing offices and homes to a halt by locking away their data.

There appeared to be over 100,000 infected hosts and quite a number paid netting the attackers over $25,000 (not that great a payday considering how much media coverage it got).

Also, in a very unusual move Microsoft has released patches for all versions of Windows (including all the way back to XP) for the SMB exploit used in the malware. Not that I expect most people getting hammered by it to be installed patches, or blocking access to port 445 over the Internet..or anything else remotely sensible.

And it installs Doublepulsar, a backdoor that allows the machine to be remotely controlled. That’s another stolen NSA tool leaked alongside Eternalblue. The malware is also controlled via the anonymizing Tor network by connecting to hidden services to receive further commands from its masters.

Fortunately, a kill switch was included in the code. When it detects that a particular web domain exists, it stops further infections. That domain was created earlier today by a UK infosec bod, who spotted the dot-com in the reverse-engineered binary; that registration was detected by the ransomware, which immediately halted its worldwide spread.

Connections to the magic domain – iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – were sinkholed to a server in California, and the admins of infected systems reaching out to the dot-com will be notified, we’re told. “IP addresses from our sinkhole have been sent to FBI and ShadowServer so affected organisations should get a notification soon,” said the researcher. The infosec bod admitted they registered the domain first, then realized it was a kill switch. Still, job done.

The most interesting part for me was when a Malware researched accidentally disabled the spread of the ransomeware by registered a domain it used as a killswitch.

How to Accidentally Stop a Global Cyber Attacks

To be fair, calling it accidental is pretty humble, but he didn’t mean to disable the spread. The malware checked an unregistered domain to see if it resolved, if it did it exited as it most likely means it’s running in a sandbox and being examined or reverse engineered.

The problem was, this guy registered the domain, so after propagation it always resolved, meaning any new instances of WannaCry failed.

Source: The Register

Posted in: Cryptography, Exploits/Vulnerabilities, Malware

, ,

Latest Posts:

Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.

2 Responses to WannaCry Ransomware Foiled By Domain Killswitch

  1. George May 17, 2017 at 5:21 am #

    So how does registering that domain actually stop it. I mean why would WannaCry actually check to see if that domain is registered  ?

    • Darknet May 18, 2017 at 1:22 am #

      As I mentioned in the article, it checks to see if it resolves, not if it’s registered, if an unregistered domain resolves that likely means the ransomware is running a sandbox and being forensically examined so it exits. The problem was WannaCry used a hardcoded domain not some random string to verify so once the domain was registered and always resolved, it would always exit, even when not in a sandbox.