0

The kill switch discovered by marcus hutchins the web security researcher, how did that kill switch actually work? ,domain name registration must have been done on the system of researcher , how did it prevent it's beacon to every other computer (this happened or not?)

schroeder
  • 129,372
  • 55
  • 299
  • 340
Ashmika
  • 889
  • 1
  • 6
  • 4
  • 1
    a lot has been written on the kill switch - have you performed some research first before posting here? – schroeder Jul 04 '17 at 19:53

2 Answers2

2

domain name registration must have been done on the system of researcher

No. The domain was actually registered and is available to everyone:

~$ whois iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
   Domain Name: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA.COM
   Registry Domain ID: 2123519849_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.namecheap.com
   Registrar URL: http://www.namecheap.com
   Updated Date: 2017-06-22T16:05:38Z
   Creation Date: 2017-05-12T15:08:04Z
   Registry Expiry Date: 2023-05-12T15:08:04Z

The malware will try to connect to this domain. If it succeeds, it will abort, otherwise it will continue.

The researcher who registered the domain explains it here.

In his research, he first entered the domain in his host file, and after seeing that it stopped the malware on his local system, he registered the domain, thus preventing this specific version of the malware from doing harm on any system that could connect to the domain (this was actually more of an accident, the researcher originally wanted to collect further information on the malware).

The researcher also guesses at what the malware writers wanted to achieve with this "kill switch":

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis.

Community
  • 1
tim
  • 29,640
  • 7
  • 98
  • 121
0

It worked because the code checked that the domain didn't respond to a connection. When he hooked it up to a server it responded causing the code to exit.

In other words when the domain was online the code didn't complete its execution.

As a side note many researchers do not believe it was a kill switch and was possibly a way for testing if it was in a sandbox.

ISMSDEV
  • 3,270
  • 13
  • 22
  • How does no response imply not a sandbox? –  Jul 05 '17 at 15:14
  • Other way around. Many sandbox environments used for testing malware use a fake server and dns to respond to queries so the researchers can see what data is being sent and received. – ISMSDEV Jul 05 '17 at 15:22
  • the code should have exited from the system where the domain name registration was done, how did it prevent any further attack, other systems which were infected were also beaconing? – Ashmika Jul 06 '17 at 14:09
  • "the code should have exited from the system where the domain name registration was done" - Nothing to do with if it was registered or not. "how did it prevent any further attack, other systems which were infected were also beaconing?" - Don't understand the point. As @schroeder says have you done any research? There are 1000s of articles explaining how it worked in various depths. Some very good ones :) – ISMSDEV Jul 06 '17 at 15:22
  • it's given that he registered a domain name, why we have nothing to do with that stuff?, the point is how did it prevent other systems from spreading the virus further because on those system domain name registration was not done ; i have done some research but was not able to get the exact point as these things are new for a unaccustomed student like me – Ashmika Jul 07 '17 at 07:28