It’s been a busy week in infosec, with WannaCry 1.0 (kill-switch-enabled) and 2.0 (kill-switch-free) making the rounds and, at least as of May 16, having raked in over $75k in Bitcoin payments according to our Senior Security Researcher, Kyle Wilhoit (@lowcalspam). And, being DomainTools, we certainly took note of the key role that a domain registration played in the WannaCry story.
But there is something profoundly upside-down about this story, compared to your run-of-the-mill malware: the domain at the center of the story was one that you actually would *want* your devices to call out to, because if WannaCry got a response from that domain, it shut itself down. It was a mechanism possibly designed to detect whether the malware was in a security sandbox—the designer’s theory perhaps being that many sandboxes would have furnished some kind of response, albeit spoofed, to any command-and-control (C2) infrastructure the malware tried to call out to. The person configuring the sandbox would have done something such as telling the local DNS server to point all queries to a specific server. Thus, every domain would receive some basic response from that server. It’s worth noting that this may not in fact be the original intent of this “kill switch;” the behavior may have been a bug. Unless the author comes forward to explain, we may never know for sure. Nevertheless, they didn’t register the domain, and a quick-thinking security researcher did. Once it popped up and started giving responses, the 1.0 version of the malware’s spread pretty much halted.
In the normal order of things, if you discover a domain that is tied to command-and-control (C2) infrastructure for a botnet or malware, you want to block the domain. And, if you use DomainTools or similar DNS/domain profile investigation and analysis tools, you also look for other infrastructure related to the malware and block that, too. But with the first version of WannaCry, doing so would have allowed the malware to go its merry way, encrypting your data. It is, in short, a perfect example of the exception that proves the rule.
Why does it prove the rule? What if other malwares follow this pattern and have domain-related kill-switches? Well…this doesn’t seem likely. Since a huge number of potential victims are able to call out to C2 domains, it would be unwise for malware authors to repeat this method. Perhaps the surest confirmation of that is the revised version of WannaCry that disabled this “feature,” and as of this writing is busily encrypting files all over the globe.
So the big picture remains unchanged: if you detect infrastructure, such as domains or IP addresses, tied to badness, it’s important to dig into sources such as Whois records, passive DNS databases, and other domain profile information, to find and block related infrastructure. WannaCry 1.0 may have flown in the face of this advice, but odds are the next big threat to make the rounds won’t.
Be safe out there.