At this point in time almost everybody has heard about WannaCry – the largest ransom-ware infection in history so far. And all the relevant updates have been installed in order to fix this problem, right? Except if you are still using, for example, Win XP and updates are not available for your system. In that case, you are in trouble.
In order to be succesfull and in control, this kind of malware must have killswitch. The killswitch of WannaCry is quite interesting, to say the least. At early stage of execution, WannaCry sends HTTP request to fixed domain and continues execution if the request fails. But the strange thing is that the domain name was unregistered and for sale! The research group MalwareTech was able to register the domain and return HTTP call success. As a result, malware exits in early stage of execution and it stopped spreading futher.
I don’t know what these people were thinking, but this desing seems to be really stupid. Didn’t they understand that the network traffic of the malware can be analysed and killswitch activated? MalwareTech received 10,000 dollars bounty from HackerOne as a result of this finding and activating the killswitch.
Read the full story here.
Some thoughts about my craft 