Believe it or not, the massive WannaCry ransomware that shot down tens of thousands of computers has a back door that will kill itself when exploited. Luckily, we have got a hero standing our side this time.
Apparently, there was a kill switch built into the malware. It attempts an HTTP GET call on iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, a “randomly” human-typed address that primarily consists of keys in the top row of the keyboard. This was found in the WannaCry’s code:
If the call to that domain succeeds, it stopped propagating and would exit. Because the domain wasn’t registered during the first outbroke, the malware continued to execute, propagate, and spread like wildfire until a researcher worked out what was going on and simply registered the domain name!
So I can only add"accidentally stopped an international cyber attack" to my Résumé. ^^
— MalwareTech (@MalwareTechBlog) May 13, 2017
That’s our hero, though accidental, @MalwareTechBlog who observed the traffic to the fake domain, registered it, and sink-holed it, thus stopping the bleeding in a major way.
It’s still a mystery why the kill switch existed in the first place. It seems totally to against the goal of infecting as many machines as possible, as quickly as possible. Anyway, while this variant of WannaCry should be spreading any further, however, there are more copycats emerging soon. You still need to follow the instructions to patch your system and protect your own data.
Also, note that the kill switch is not proxy aware. It won’t work on a network that has a proxy server in place.
Latest posts by Kent Chen (see all)
- Recovering Data Encrypted by WannaCry Ransomware - May 19, 2017
- Outlook Tip: What To Do When Receipt Receives Winmail.dat Attachment from You - May 19, 2017
- Whom to Blame: Stealing Windows Credentials Using Google Chrome - May 17, 2017
Last updated: 05/15/2017