Error Saving Reaction

Screenshot


Here's how the ransomware attack was stopped – and why it could soon start again

The ransomware cyber attack that has so far affected around 300,000 computers in 150 countries could have been much worse. In fact, it still could be. The spread of the malicious software (malware), nicknamed WannaCry or WannaCrypt, has been halted several times by researchers who have identified flaws in the program known as kill switches. But cybercriminals are already fighting back by altering the code, leading to a game of cat and mouse as researchers then have to hunt for a new kill switch.

Ransomware is a type of malware that blocks access to a computer until money is paid to release it. It is normally spread as an attachment on an email but WannaCry is different because it can spread through a local network on its own.

It looks for other computers running a file and printer sharing protocol called Server Message Block (SMB), which is found in older operating systems such as Windows XP that no longer receive routine security updates. It then uses a flaw in SMB to spread to other computers without their users having to download the file. This explains why more computers have been affected than is typical with this kind of malware.

The Achilles heel of malware is the need to call home to its operator. For ransomware, there has to be a mechanism for the program’s operator to collect the ransom money and unlock the data. These communications can provide a way for law enforcement to track down the cybercriminals, so they often build into their malware something called a kill switch.

Generally, a kill switch is a mechanism for turning off a device or a piece of software remotely – and abruptly – in an emergency, such as when it has been stolen or accessed without authorisation. In malware, a kill switch is a way for the operator to terminate their connection to the software to prevent authorities from discovering their identity.

One kill switch method is to redirect the malware’s communications to a “sinkhole” server, which can render it ineffective. Investigators can study the malware and look for such a kill switch or a way to take over the software.

A sophisticated piece of malware will often run its control communication across multiple unregistered internet domains. By periodically changing the domain it uses, the software can thwart attempts to understand or neutralise it. This means investigators need to constantly adapt and register any new domains the malware may try to use to make the sinkhole effective.

In the case of WannaCry, a researcher using the pseudonym MalwareTech ended up accidentally activating the kill switch when he tried to create a sinkhole in order to study the software. WannaCry included code that looked to check if a specified domain had been registered. If it received a response from the domain, it shut down. If not, it continued to work. So when MalwareTech registered the domain, it effectively activated the kill switch.

This kill switch was probably inserted to prevent investigators studying the software in a closed virtual environment called a “sandbox”. These typically respond to all communication attempts by the malware with signals from registered domains. So when WannaCry received a response from the domain, it was tricked into thinking it was in a sandbox and shut down to protect itself.

The problem is that modifying WannaCry’s code so it looks for a different unregistered domain will allow new versions of the software to continue running. In fact, one new variant of the malware has already been stopped after researchers registered the new domain, activating the related kill switch.

An interesting paradox is that WannaCry was developed using a surveillance tool called EternalBlue created by the US National Security Agency (NSA) and leaked by a group of hackers known by the pseudonym Shadow Brokers. They are now claiming to have further harmful source code for WannaCry and are threatening to release it into the wild for anyone to modify freely. Based on the history of previous similar malware, copycats are extremely likely. With major modifications to the source code, the recent updates made to anti-malware software will become futile as the the cycle begins again.

Researchers are even questioning why WannaCry’s kill switch existed at all given that it was so easy to discover and execute. The danger is that WannaCry was just a test to illicit the response of defenders so deadlier variants can be unleashed later.

This article was originally published on The Conversation. Read the original article.

Adrian Winckles receives funding from iCure/DCMS for Cyber Security Innovation Member of Open Web Application Security PRoject European Board & Cambridge Chapter Leader BCS Vice Chair Cybercrime Forensics Special Interest Group UK Cyber Security Forum - Cambridge Cluster Chair

Views: 66
0
0
0
Author: Regular Articles
Tell a friend
Average rating:
(0 votes)
Average rating from Reviews:
(0 votes)

Write a review

Reviews

Zacks Industry Outlook Highlights: Freeport-McMoRan, Newmont Mining, Golden Star Resources, Randgold Resources and Kinross Gold

Zacks Industry Outlook Highlights: Freeport-McMoRan, Newmont Mining, Golden Star Resources, Randgold Resources and Kinross Gold Read More

Gold Mining Stock Outlook - Sept. 2017

Gold Mining Stock Outlook - Sept. 2017 Read More

Why Freeport-McMoran (FCX) Stock Might be a Great Pick

Freeport-McMoran (FCX) is seeing solid earnings estimate revision activity, and is a great company from a Zacks Industry Rank perspective. Read More

Friend of slain Georgia Tech student: 'If Scout was more gender-conforming, would it have been different?'

Scout Schultz, a Georgia Tech student, was shot by campus police on Saturday night, and a protest two days later led to arrests. In the aftermath of those events, Yahoo Lifestyle talked to a friend... Read More

How to Make Healthy Leftover Turkey Tacos

These tacos get a healthy makeover by using turkey as the main lean protein. It all comes together with some beans, avocado, and a little cheese. Watch the video to learn how to make this easy... Read More

Little People, Big World's Audrey Roloff Just Gave Birth to Her First Child

It's a girl! Read More

Ron Howard's latest set photos hint at young Han Solo's adventures

Han Solo movie director Ron Howard's Instagram photos hint at plot Read More

Forget Superman; it's 'Batman v. Pennywise' in this fan mash-up trailer

Having faced down the Joker on multiple occasions, Batman has a fair amount of experience tangling with killer clowns. But he’s never met a clown quite like Pennywise. A new fan trailer imagines... Read More

'Pitch Perfect 3' trailer: Anna Kendrick and Rebel Wilson get aca-emotional

Second trailer for upcoming threequel gives audiences an extended look at the Barden Bellas' "farewell tour." Read More

Photos: NFL players kneel during anthem as Trump fumes

President Donald Trump insisted on Sunday that a wave of protests held by National Football League players during the US anthem before games had “nothing to do with race”. Read More

As Puerto Rico reels from hurricane, Trump focuses on football

Puerto Rico’s governor, its mayors, and its representative to Congress have all called attention to the island territory’s desperate situation, but the president hasn’t mentioned Puerto Rico on... Read More

White House: If NFL protests are about police brutality, players 'should protest the officers on the field'

White House press secretary Sarah Sanders suggested Monday that if NFL players who kneel during the national anthem at games are doing so because of police brutality, they should protest the... Read More

Defiant, Kurds vote in northern Iraq, seeking path to independence

In Erbil, capital of northern Iraq’s semi-autonomous Kurdish region, the longstanding dream of statehood has been sold as a done deal. Streets have been lined with billboards in favor of Kurdish... Read More

In Alabama, an early test of anti-establishment mood

“We cannot be bought,” declares B.B. Sellers, as he and his wife leave a sweltering outdoor rally for Roy Moore, the firebrand former judge who has been leading in a tight Republican run-off for US... Read More

Why elections in Europe spring a surprise

Last spring, Europe watched with surprise as a new centrist party in France, En Marche!, defeated the two traditional parties. The election win was a signal that the French want more independence... Read More