2

I read the Article of WannaCry on malwaretech.com and as far I understand it works like this:

  • Try to connect via HTTP to www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  • if it got an response then exit.
  • if not, do the next part (encryption etc.)

Flow on malwaretech.com

As far as I know, did the register of an unregistered domain make the (first) WannaCry not operable anymore?

The reason this was that a part of the code checks if it got an answer when it opened a network connection to that domain.

So if the Request that would be sent to the (theoretical) not existing Domain and the Proxy will, instead of just try to connect and got an "Connection Refused" message, redirect the Traffic to an existing host (which mostly just say that the URL is not reachable), would the (first) WannaCry never go active?

Serverfrog
  • 576
  • 7
  • 18
  • as far as I understand that is that the domain was a killswitch which, when the domain responded, disables/not enable WannaCry. If im wrong please correct me. So the first paragraph was not a question but to show what I currently knew about the principle of the usage of the Domain. – Serverfrog May 17 '17 at 12:27
  • 1
    The most likely reason for putting this check in the code originally is to detect malware sandboxes, which do exactly what you've proposed - they redirect all traffic that the malware generates to a controlled server. Normally, malware authors want to make it difficult to investigate the behaviour of their code in a sandbox, so this is a simple check which can slow that process down. Obviously, this didn't really slow investigations down much, and later versions, without the kill switch, wouldn't be affected by a sandbox style check either. – Matthew May 17 '17 at 12:46
  • Possible duplicate of [How is the "WannaCry" Malware spreading and how should users defend themselves from it?](https://security.stackexchange.com/questions/159331/how-is-the-wannacry-malware-spreading-and-how-should-users-defend-themselves-f) – Xander May 17 '17 at 13:16
  • @Xander, I don't think this is duplicating the other Question. The Other Question is how to defend or clean up WannaCry. This Question takes a more specific scope on the killswitch and if it aware that it isn't connection to a Server which is owned by the malware developer. – Serverfrog May 17 '17 at 14:43
  • This is a subset of the other question, and we've been closing questions of this type as duplicates. – Xander May 17 '17 at 14:52
  • 1
    So closing this question+answer as duplicating an question which doesn't even talk about this aspect? Seems that wise? and wouldn't be then every Question that talks about the WannaCry as its works and how it lives be a duplicate of this question also? – Serverfrog May 17 '17 at 15:11
  • 1
    I agree that the topic of wannacry is big enough to deserve more than one catch all question. An answer that actually answered this question would be a poor fit for the suggested duplicate, and vice versa. – Anders May 17 '17 at 21:53
  • And not to forget: some antivirus products also block the killswitch domain and hence trigger the execution of the virus. – user689443 May 17 '17 at 16:01

1 Answers1

2

Despite the downvotes this is actually a valuable question. WannaCry does not play well with the system proxy settings, so if you use a proxy, you will need to do this to activate the killswitch.

I did test the sample, it is not proxy aware. In an environment with an HTTP proxy and no direct connections to the Internet, the sample can not connect to the killswitch domain and it will infect the host. https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/

So on to your question

if in some kind of network, the firewall or some kind of piece of Hardware/Software that is between you and the Internet redirects the traffic to a local server if the remote Server is not reachable, would the (first) WannaCry never go active?

Yeah that would do the trick. If the executable can reach iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, it will halt execution and not spread further.

J.A.K.
  • 4,783
  • 13
  • 30
  • 1
    Thank you! I did not find the part that it isn't proxy aware ;) (didn't even find the "proxy" in my brain). And i don't question the downvotes but i think that someone did it and the next saw the minus and just accept it – Serverfrog May 17 '17 at 12:41