Black Hat, White Hat

Did you know that hackers are made out of floating binary masses?

Meanwhile, over in computer science…several days ago WannaCry almost brought the world to its knees until an anonymous tech blogger, MalwareTech, brought it to a screeching halt by activating a hiding-in-plain-sight kill-switch. MalwareTech blogged about the wild 12 hour epic (which, by the way, happened during his vacation) and it makes me so gleeful to read about. It’s not math, per se, but I feel like cybersecurity is sort of like a favorite cousin of cryptography. One who visits all the time and is almost like a sister. Also, who doesn’t love a good story about a blogger saving the world? In that spirit, I wanted to take today to give a quick and dirty explanation of what our dear blogger-turned-hero did, why it worked, and what we might ought to brace ourselves for.

Here is more or less what happened, in the most jargon free way that I can bring it to you. Our heroic white hat blogger got his hands of a copy of WannaCry and was playing around with it in a quarantined operating system environment called a sandbox. This is typical when programmers are dealing with malware or other suspicion software of unknown origin; it’s a way to run analyses on the potentially dangerous program without making their own device vulnerable.

He noticed that something in the WannaCry code was directing his computer to check whether a certain website was live. He also noticed that this domain name was unregistered, so he registered it, which apparently is very common practice for folks in the cybersecurity biz. The result, was that now infected machines were still running this check to see if the website URL (which was actually hardcoded into WannaCry) was live, and when they found out it was live, the ransomware just shut down. Simply registering the domain name acted as a kill-switch for the world’s biggest ransomware attack.

There seem to be two prevailing theories as to why the original programmers wrote this domain querying piece into their code. The first, and perhaps too simple, explanation is that they left it there as a kill-switch for themselves. If things got out of hand they knew they could just register the domain name and shut it down.

The idea that seems to have slightly more traction, is that the querying of an unregistered domain name was a rudimentary method for the ransomware to identify if it was living in a sandbox environment, which would typically return all URLs (registered or otherwise) as alive. The original developers would use this as an anti-analysis measure, since the only way to analyze the ransomware would be in a sandbox (unless you like to live dangerously). The important technical detail here is that an operating system in a sandbox sees all websites as live, even the unregistered ones. So pinging a live website delivers the message to shut down the ransomware. But by registering the domain name, everyone who queries the website sees it as live, meaning WannaCry always thinks its living in a sandbox environment, and therefore always shuts itself down.

MalwareTech for the win!

But it seems the beast hasn’t been slain entirely. As of last week, bad-guy hackers — who seem to be acting purely for their own amusement — have dispatched a botnet army of hijacked cameras, modems, and other internet of things devices to continually attack the newly registered domain name and flood it with traffic whose origins can be very hard to track. The idea behind this is that if enough of these zombie devices are blocking the “door” to the domain then other devices will get turned away. Kind of like a Walmart on Black Friday. This is called a Distributed Denial of Service (or DDoS) attack, and given aggressive enough traffic it could result in forcing the new domain offline and effectively flipping the kill-switch back to the “off” position. There’s also talk of the possibility that, much like an actual virus, there are mutated strains of the WannaCry virus with different kill-switch domain names coded into them.

This means WannaCry still has potential to mess your life up pretty dramatically. So take the appropriate precautions. Check if your operating systems is recommending patches. And if you are still using Windows XP, brace yourself.

Also, because every situation involving near destruction of the world could use some extra levity, Quartz has generated a great roundup of all the absurd photos that accompany news stories about WannaCry. Much like my binary people above, they make no sense at all.