3

The WannaCry ransomware contains a killswitch, a URL that when registered, caused the malware to shutdown.

Question is, who put in the killswitch?

Was it the bad guys? Was it the NSA? Could it have been anyone else?

Ben Aveling
  • 266
  • 1
  • 7
  • My guess is that there are two distinct groups in action here: the malware author (the Shadow Group themselves, IMHO) which only focus on a demonstration of power against the NSA, and the malware spreaders which were just used as cover. The latter ones most probably believed in the ransom goal and were unaware of the presence of the kill-switch, they tried to remove it with more-or-less success because they have no access to the source-code. See [my article](http://www.whitewinterwolf.com/post/2017/05/16/Wannacry%3A-a-full-scale-war-game.) for details and references. – WhiteWinterWolf May 16 '17 at 16:59

2 Answers2

7

The bad guys put the killswitch in their own malware. It couldn't be anyone else, since that malware's vulnerability was in the malware's code.

It's common practice for malwares to check if you're in a sandboxed environment to prevent reverse-engineering (via MITM, for example), and to ease development.

They failed to implement a correct check, since the registration of one domain led to the malware being unable to encrypt anything.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
  • 1
    Hi, you may be confusing vulnerability (the weakness in the target code) with exploit (the code that takes advantage of the weakness). The Exploit is from NSA. The vulnerability is from Microsoft. – Ben Aveling May 15 '17 at 00:44
  • @BenAveling: Just edited my answer to clarify the which vulnerability I was speaking about. I consider the killswitch fail as a vulnerability in the malware, which itself exploited a vulnerability from Microsoft. – Benoit Esnard May 15 '17 at 00:47
  • Agree. That could have happened. So now we're speculating: accidental mistake in professional software (possible) .vs. deliberate killswitch in munition (best practice). Was it accidentally left in place, or deliberately put in place? – Ben Aveling May 15 '17 at 01:06
  • I think the check may have been correct. They just neglected to purchase the domain so nobody else could. – Alexander O'Mara May 15 '17 at 02:12
  • 2
    I think the goof is that the domain was one that *could* be purchased. I think I would choose a [TLD like `randomxyzdomain.local` that can't be registered](https://security.stackexchange.com/a/14805/69959) on the www. That way I could get the dev environment benefits of having the "i'm a developer flag, don't trash my VM" via local DNS but out on the internet, there's no technical way to register my `randomxyzdomain.local` name. – cottsak Aug 07 '17 at 04:51
-4

I'm guessing it was the NSA.

For one of two reasons.

As a responsible state actor, at a minimum, they would have wanted to have a way to shutdown the malware if anything went wrong. So they put in this URL.

They may not have intended for it to be a killswitch. It may actually be a intended for a Comand and Control Centre, but if so, it won't be responding correctly, which could mean the killswitch behaviour is accidental.

And then,when the bad guys repackaged NSA's exploit (the code that takes advantage of the vulnerability in Microsoft's code) into their own malware, they didn't realise that it contained this behaviour or they would have removed it or replaced the hardcoded domain name with an IP address. (Domain names rapidly get handed over to the authorities in cases like this.)

It does make sense for NSA to have done this. Having a self-destruct is common practice in rockets.

It doesn't make sense for the bad guys to have done this. Though it could have happened by accident, as per Benoit's answer.

And I don't see how anyone else could have done it.

Ben Aveling
  • 266
  • 1
  • 7
  • 2
    The NSA allegedly found the exploit (and may have used it), but this is just the hole used by the malware to spread, this has nothing to do with the actions done by the program once it infects a machine. – Benoit Esnard May 15 '17 at 00:38
  • Hi. I've clarified my answer to make clear: NSA created an exploit to take advantage of a vulnerability. Everything I've read says that people are reusing NSA exploits, not that people are creating new exploits to take advantage of the same vulnerabilities that the NSA exploits use. – Ben Aveling May 15 '17 at 01:04
  • 1
    Can you list some sources for that claim (that people are using NSA exploits as opposed to independently finding and exploiting the same vulnerability)? – tangrs May 15 '17 at 01:16
  • "As a responsible state actor," That phrase is enough for a downvote right there (but I'm not gonna). NSA is not responsible. Its a bunch of punks screwing over America. – developerwjk May 15 '17 at 17:22
  • @tangrs How many references would you like? https://www.google.com.au/search?q=nsa+exploit+leak – Ben Aveling May 15 '17 at 17:56