The security researcher known as MalwareTech was an accidental hero when he registered the kill domain for the Wanna Cry Malware. He noticed a domain that the malware attempted to connect to was available for registration and decided to register it. He didn’t understand until after he registered the domain, that its existence along with the mapped webserver attached to the newly registered domain acted as a kill switch for the malware. This weekend, the researcher reported attempts by a Chinese registrar to hijack the kill switch domain, which if successful, could restore the Wanna Cry Malware back into full swing. As of today, it appears that MalwareTech still has control over the domain name, but that could change in the future.
Some of the steps that the United States could take to protect against such a successful hijacking of the kill switch domain could include the following:
- Reach out to Verisign to ensure that the top level .com domain name doesn’t go dark by pointing it to a US controlled sinkhole server.
- Setup a sinkhole server that can be used to map DNS traffic to the kill switch domain to the sink hole server and to act as a data collection mechanism for identifying compromised hosts by the malware.
- Elicit US Telecommunication Companies and ISP’s to map out over riding DNS server entries pointing traffic to the kill switch domain to a government investigative sinkhole server.
Regardless if this occurs or not, what is certain is that malware has become more sophisticated since the leak of US Cyberspy weapons and can spread without any action by the targeted. The best safeguard is to keep your computer fully patched and up to date.
To view a live representation of the current infections of the Wanna Cry Malware, visit the following link. https://intel.malwaretech.com/botnet/wcrypt/?t=24h&bid=all
Microsoft released a patch for most Windows Operating Systems that addresses the ms17-101 Security Vulnerability involving the SMB exploit leaked by the Shadow Brokers. Update your operating systems now if you haven’t already!