Over the last few days, organisations across the world have been reeling from the impact of a cyber attack which leveraged a vulnerability in Windows operating systems. Cybersecurity firm Avast reported at least 75,000 cases of infected devices in 99 countries. Amongst the worst hit was the UK’s National Health Service, resulting in cancelled appointments and operations.
The cyber-attack came in the form of a malicious ransomware program called WannaCry (also WannaCrypt, WannaCrypt0r and other variants of that name).
Last Friday, after the initial outbreak, a cybersecurity researcher identifying himself as MalwareTech halted the spread of WannaCry in just a few hours. News articles over the weekend have dubbed him an ‘accidental hero’, but this doesn’t do him justice: MalwareTech is a professional and he knows what he’s doing.
MalwareTech analyses and researches malware. His job, in his own words, is to look for ways to track and potentially stop malware. On Saturday he posted an article on his blog outlining how he found the killswitch. Admittedly, it’s quite technical, so this is what he did, in full detail, but in layman’s terms.
The first thing MalwareTech did was to get a sample copy of the malware, which he brought into his virtual analysis environment. This is a safe, isolated system that a researcher can infect with a specimen of the malware and then use monitoring tools to observe how it behaves. (You can see an example of someone running WannaCry in this type of environment in this video).
Upon running the sample in this virtual laboratory space, MalwareTech noticed that WannaCry contained an instruction to check (or ‘query’) an unregistered domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
He promptly registered it; the purchase cost him $10.69. In doing so, his hope was that the domain might be a command-and-control (C&C) server. These are used by attackers to maintain communications with compromised systems or ‘botnets’. A botnet is a collection of devices (e.g. PCs or smartphones) infected with malware.
Finding unregistered or expired C&Cs linked to active botnets can enable researchers like MalwareTech to gather data on the geographical distribution and scale of the infections, including IP addresses. These can be used to notify victims that they’re infected and assist law enforcement.
Secondly, they can be used to point botnets towards a ‘sinkhole’: a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them. Taking command of a C&C makes it possible to redirect requests for that server to an analyzing machine, where these requests provide information to researchers about the nature of the botnet.
Finally, claiming a C&C can allow researchers to reverse-engineer the malware and see if there are any vulnerabilities in the code, allowing them to take over the malware/botnet and prevent the spread or malicious use.
MalwareTech intended to use the newly registered domain to go through these processes, his only ‘accident’ was that in simply registering the domain, he had already done it.
The bit of code that queried iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was simply trying to connect to it. The rule was: if the connection is not successful it ransoms the system, if it is successful the malware leaves.
MalwareTech explains that the cybercriminals probably meant for this query to prevent analysts being able to study the ransomware using a ‘sandbox’.
A sandbox is a security mechanism used for separating running programmes, often when running untrusted code (e.g. malware). It is implemented by executing the software in a restricted operating system environment, thus controlling the resources that a process may use.
MalwareTech believes that the cybercriminals used an intentionally unregistered domain which would appear registered in certain sandbox environments. That way, if the ramsomware saw the domain responding, it would know it’s in a sandbox environment and would exit to prevent further analysis.
Fortunately, the anti-analysis protocol was badly thought through and registering the domain essentially acted as a killswitch: copies of WannaCry across the world would access the domain and, upon discovering it was registered, believe they were in a sandbox and so exit the system.
In this way, this one simple move - registering the domain - prevented the spread of WannaCry ransomware to vulnerable systems.
MalwareTech notes on his blog that his actions have only prevented the spread of this version of WannaCry, and nothing is stopping the cybercriminals behind it from removing the domain query and releasing it again.
Importantly, Microsoft issued a patch for this security flaw long before WannaCry struck, and systems were infected on Friday simply because they had not updated their operating system.
This story exemplifies why out-of-date software is a disaster waiting to happen. At a time when technology underpins our lives, our economy and our society, organisations still struggle to prioritise security and keep systems up to date. Much of the damage we have seen in recent days (and will probably see in the days to come) could have been prevented with one simple act of due diligence.
As MalwareTech warns - it’s incredibly important that any unpatched systems are patched as quickly as possible. We subscribe to that view; click update when your computer asks. Just do it. There might not be a killswitch next time.