WannaCry Ransomware Foiled By Domain Killswitch

Whilst I was away on a tropical island enjoying myself the Infosec Internet was on fire with news of the global WannaCry ransomware threat which showed up in the UK NHS and was spreading across 74 different countries.

WannaCry Ransomware Foiled By Domain Killswitch

The Ransomware seems to be the first that is P2P using an SMB exploit from the NSA Leak just last month.

The WannaCrypt ransomware worm, aka WanaCrypt or Wcry, today exploded across 74 countries, infecting hospitals, businesses including Fedex, rail stations, universities, at least one national telco, and more organizations.

In response, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, such as XP and Server 2003, as well as modern builds.

To recap, WannaCrypt is installed on vulnerable Windows computers by a worm that spreads across networks by exploiting a vulnerability in Microsoft’s SMB file-sharing services. It specifically abuses a bug designated MS17-010 that Redmond patched in March for modern versions of Windows, and today for legacy versions – all remaining unpatched systems are therefore vulnerable and can be attacked.

This bug was, once upon a time, exploited by the NSA to hijack and spy on its targets. Its internal tool to do this, codenamed Eternalblue, was stolen from the agency, and leaked online in April – putting this US government cyber-weapon into the hands of any willing miscreant. Almost immediately, it was used to hijack thousands of machines on the internet.

Now someone has taken that tool and strapped it to ransomware: the result is a variant of WannaCrypt, which spreads via SMB and, after landing on a computer, encrypts as many files as it can find. It charges $300 or $600 in Bitcoin to restore the documents. It is adept at bringing offices and homes to a halt by locking away their data.

There appeared to be over 100,000 infected hosts and quite a number paid netting the attackers over $25,000 (not that great a payday considering how much media coverage it got).

Also, in a very unusual move Microsoft has released patches for all versions of Windows (including all the way back to XP) for the SMB exploit used in the malware. Not that I expect most people getting hammered by it to be installed patches, or blocking access to port 445 over the Internet..or anything else remotely sensible.

And it installs Doublepulsar, a backdoor that allows the machine to be remotely controlled. That’s another stolen NSA tool leaked alongside Eternalblue. The malware is also controlled via the anonymizing Tor network by connecting to hidden services to receive further commands from its masters.

Fortunately, a kill switch was included in the code. When it detects that a particular web domain exists, it stops further infections. That domain was created earlier today by a UK infosec bod, who spotted the dot-com in the reverse-engineered binary; that registration was detected by the ransomware, which immediately halted its worldwide spread.

Connections to the magic domain – iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – were sinkholed to a server in California, and the admins of infected systems reaching out to the dot-com will be notified, we’re told. “IP addresses from our sinkhole have been sent to FBI and ShadowServer so affected organisations should get a notification soon,” said the researcher. The infosec bod admitted they registered the domain first, then realized it was a kill switch. Still, job done.

The most interesting part for me was when a Malware researched accidentally disabled the spread of the ransomeware by registered a domain it used as a killswitch.

How to Accidentally Stop a Global Cyber Attacks

To be fair, calling it accidental is pretty humble, but he didn’t mean to disable the spread. The malware checked an unregistered domain to see if it resolved, if it did it exited as it most likely means it’s running in a sandbox and being examined or reverse engineered.

The problem was, this guy registered the domain, so after propagation it always resolved, meaning any new instances of WannaCry failed.

Source: The Register

Posted in: Cryptography, Exploits/Vulnerabilities, Malware

, ,

Latest Posts:

LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.
Stardox - Github Stargazers Information Gathering Tool Stardox – Github Stargazers Information Gathering Tool
Stardox is a Python-based GitHub stargazers information gathering tool, it scrapes Github for information and displays them in a list tree view.
ZigDiggity - ZigBee Hacking Toolkit ZigDiggity – ZigBee Hacking Toolkit
ZigDiggity a ZigBee Hacking Toolkit is a Python-based IoT (Internet of Things) penetration testing framework targeting the ZigBee smart home protocol.

2 Responses to WannaCry Ransomware Foiled By Domain Killswitch

  1. George May 17, 2017 at 5:21 am #

    So how does registering that domain actually stop it. I mean why would WannaCry actually check to see if that domain is registered  ?

    • Darknet May 18, 2017 at 1:22 am #

      As I mentioned in the article, it checks to see if it resolves, not if it’s registered, if an unregistered domain resolves that likely means the ransomware is running a sandbox and being forensically examined so it exits. The problem was WannaCry used a hardcoded domain not some random string to verify so once the domain was registered and always resolved, it would always exit, even when not in a sandbox.