WannaCry Ransomware Foiled By Domain Killswitch

Whilst I was away on a tropical island enjoying myself the Infosec Internet was on fire with news of the global WannaCry ransomware threat which showed up in the UK NHS and was spreading across 74 different countries.

WannaCry Ransomware Foiled By Domain Killswitch

The Ransomware seems to be the first that is P2P using an SMB exploit from the NSA Leak just last month.

The WannaCrypt ransomware worm, aka WanaCrypt or Wcry, today exploded across 74 countries, infecting hospitals, businesses including Fedex, rail stations, universities, at least one national telco, and more organizations.

In response, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, such as XP and Server 2003, as well as modern builds.

To recap, WannaCrypt is installed on vulnerable Windows computers by a worm that spreads across networks by exploiting a vulnerability in Microsoft’s SMB file-sharing services. It specifically abuses a bug designated MS17-010 that Redmond patched in March for modern versions of Windows, and today for legacy versions – all remaining unpatched systems are therefore vulnerable and can be attacked.

This bug was, once upon a time, exploited by the NSA to hijack and spy on its targets. Its internal tool to do this, codenamed Eternalblue, was stolen from the agency, and leaked online in April – putting this US government cyber-weapon into the hands of any willing miscreant. Almost immediately, it was used to hijack thousands of machines on the internet.

Now someone has taken that tool and strapped it to ransomware: the result is a variant of WannaCrypt, which spreads via SMB and, after landing on a computer, encrypts as many files as it can find. It charges $300 or $600 in Bitcoin to restore the documents. It is adept at bringing offices and homes to a halt by locking away their data.

There appeared to be over 100,000 infected hosts and quite a number paid netting the attackers over $25,000 (not that great a payday considering how much media coverage it got).

Also, in a very unusual move Microsoft has released patches for all versions of Windows (including all the way back to XP) for the SMB exploit used in the malware. Not that I expect most people getting hammered by it to be installed patches, or blocking access to port 445 over the Internet..or anything else remotely sensible.

And it installs Doublepulsar, a backdoor that allows the machine to be remotely controlled. That’s another stolen NSA tool leaked alongside Eternalblue. The malware is also controlled via the anonymizing Tor network by connecting to hidden services to receive further commands from its masters.

Fortunately, a kill switch was included in the code. When it detects that a particular web domain exists, it stops further infections. That domain was created earlier today by a UK infosec bod, who spotted the dot-com in the reverse-engineered binary; that registration was detected by the ransomware, which immediately halted its worldwide spread.

Connections to the magic domain – iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – were sinkholed to a server in California, and the admins of infected systems reaching out to the dot-com will be notified, we’re told. “IP addresses from our sinkhole have been sent to FBI and ShadowServer so affected organisations should get a notification soon,” said the researcher. The infosec bod admitted they registered the domain first, then realized it was a kill switch. Still, job done.

The most interesting part for me was when a Malware researched accidentally disabled the spread of the ransomeware by registered a domain it used as a killswitch.

How to Accidentally Stop a Global Cyber Attacks

To be fair, calling it accidental is pretty humble, but he didn’t mean to disable the spread. The malware checked an unregistered domain to see if it resolved, if it did it exited as it most likely means it’s running in a sandbox and being examined or reverse engineered.

The problem was, this guy registered the domain, so after propagation it always resolved, meaning any new instances of WannaCry failed.

Source: The Register

Posted in: Cryptography, Exploits/Vulnerabilities, Malware

, ,

Latest Posts:

zBang - Privileged Account Threat Detection Tool zBang – Privileged Account Threat Detection Tool
zBang is a risk assessment tool for Privileged Account Threat Detection on a scanned network, organizations & red teams can use it to identify attack vectors
Memhunter - Automated Memory Resident Malware Detection Memhunter – Automated Memory Resident Malware Detection
Memhunter is an Automated Memory Resident Malware Detection tool for the hunting of memory resident malware at scale, improving threat hunter analysis process.
Sandcastle - AWS S3 Bucket Enumeration Tool Sandcastle – AWS S3 Bucket Enumeration Tool
Sandcastle is an Amazon AWS S3 Bucket Enumeration Tool, formerly known as bucketCrawler. The script takes a target's name as the stem argument (e.g. shopify).
Astra - API Automated Security Testing For REST Astra – API Automated Security Testing For REST
Astra is a Python-based tool for API Automated Security Testing, REST API penetration testing is complex due to continuous changes in existing APIs.
Judas DNS - Nameserver DNS Poisoning Attack Tool Judas DNS – Nameserver DNS Poisoning Attack Tool
Judas DNS is a Nameserver DNS Poisoning Attack Tool which functions as a DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation.
dsniff Download - Tools for Network Auditing & Password Sniffing dsniff Download – Tools for Network Auditing & Password Sniffing
Dsniff download is a collection of tools for network auditing & penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, URLsnarf, and WebSpy passively monitor a network

2 Responses to WannaCry Ransomware Foiled By Domain Killswitch

  1. George May 17, 2017 at 5:21 am #

    So how does registering that domain actually stop it. I mean why would WannaCry actually check to see if that domain is registered  ?

    • Darknet May 18, 2017 at 1:22 am #

      As I mentioned in the article, it checks to see if it resolves, not if it’s registered, if an unregistered domain resolves that likely means the ransomware is running a sandbox and being forensically examined so it exits. The problem was WannaCry used a hardcoded domain not some random string to verify so once the domain was registered and always resolved, it would always exit, even when not in a sandbox.