The WannaCry kill switch wasn't inserted to make someone a hero

Posted by   Martijn Grooten on   Aug 8, 2017

Almost three months after its damaging outbreak, the WannaCry malware remains shrouded in mystery. Last week's arrest of security researcher Marcus Hutchings, better known and hereafter referred to by his online handle MalwareTech, has added yet more mystery.

With very little factual information on the case available, there is little point in speculating about whether MalwareTech was involved in the development of the Kronos banking trojan, as the FBI believes he was. As someone who knows him personally, there is even less point in me doing any speculating. But seeing as a number of people have suggested that the kill switch in WannaCry was inserted by MalwareTech himself, allegedly to make himself a hero, it seems a good idea to look at how the kill switch actually worked.

banner-wannacry-blog.jpg


When run, like just about every modern piece of malware, WannaCry makes a number of Internet connections, one of which is to the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – which at the time of the outbreak was unregistered. It is not uncommon for malware to connect to random-looking domains; often the domains to which a piece of malware connects are changed every day using a domain generation algorithm (DGA) – an algorithm known only to the malware authors (though obviously hidden deep inside the malware's code), thus making registering such a domain an easy way for them way to keep control of the malware, even if all their infrastructure has been taken down.

On seeing malware connect to an unregistered domain, it is common for researchers to register the domain themselves and point it to a server they control – a technique known as sinkholing. This gives researchers important insight into the size and geographical spread of a malware outbreak (indeed, it was used to estimate the size of WannaCry), and occasionally allows them to actually control the behaviour of the malware or botnet. I myself have done some research on botnets based entirely on sinkholing, and I'm not the only one.

Given how common this practice is, someone was always bound to register the domain queried by WannaCry; MalwareTech was just the first one to do so. What made this case somewhat unique was the fact that the domain functioned as a kill switch: the malware would stop spreading if a successful connection was made to the domain.

There are a number of theories as to why it was implemented this way. One is that this was indeed a kill switch, and was inserted by the people behind WannaCry in case its spreading got out of hand. Another is that this was a simple anti-analysis trick: in many malware sandboxes, any Internet request, whether to a registered domain or not, will give a response, thus indicating to the malware that it is being analysed.

Although I don't know the real reason either, I find neither of these explanations satisfactory, as it is common knowledge that the domain would be registered very quickly. There are much more effective ways to implement a kill switch or to check whether the malware is being run inside a system that responds to any Internet connection.

There are also much better ways to implement a kill switch that can be 'discovered' by its author, which would significantly reduce the chances of someone else discovering it. Activating WannaCry's 'kill switch' wasn't rocket science, and MalwareTech just happened to be the first one to do so. That made him an 'accidental' hero, though his previous work on sinkholing botnets is certainly worthy of credit.

It is, of course, possible for heroes to have made mistakes in the past, and we can only hope for a quick and, importantly, fair trial. But I believe that the probability of MalwareTech having been behind WannaCry is as high as it is for as you and I having been behind it, so it seems best to assume he wasn't.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

New paper: LokiBot: dissecting the C&C panel deployments

First advertised as an information stealer and keylogger when it appeared in underground forums in 2015, LokiBot has added various capabilities over the years and has affected many users worldwide. In a new paper researcher Aditya Sood analyses the…

VB2019 presentation: Building secure sharing systems that treat humans as features not bugs

In a presentation at VB2019 in London, Virtru's Andrea Limbago described how, by exploring data sharing challenges through a socio-technical lens, it is possible to make significant gains toward the secure sharing systems and processes that are vital…

VB2019 presentation: Attor: spy platform with curious GSM fingerprinting

Attor is a newly discovered cyber-espionage platform, use of which dates back to at least 2014 and which focuses on diplomatic missions and governmental institutions. Details of Attor were presented at VB2019 in London by ESET researcher Zuzana…

Why we encourage newcomers and seasoned presenters alike to submit a paper for VB2020

With the call for papers for VB2020 currently open, we explain why, whether you've never presented before or you're a conference circuit veteran, if you have some interesting research to share with the community we want to hear from you!

VB2019 paper: The cake is a lie! Uncovering the secret world of malware-like cheats in video games

At VB2019 in London, Kaspersky researcher Santiago Pontiroli presented a paper on the growing illegal economy around video game cheats and its parallels with the malware industry. Today we publish both Santiago's paper and the recording of his…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.