Yesterday we reported on the largest ransomware attack using one of the leaked NSA exploits recently by the Shadow Brokers group, attackers were able to attack computers globally with WannaCry (a Windows exploit embraced by the NSA's EternalBlue tool). Microsoft has already released an update for this vulnerability, but many users and organizations have not bothered to update their systems.
The malicious software infects computers by exploiting an SMB file sharing vulnerability. Older versions of Windows are more affected by this, especially since Microsoft no longer supports Windows XP or Windows (server) 2003.
Installs Doublepulsar, one backdoor cuts which allows remote control of the infected machine. This is another stolen NSA tool that was leaked alongside Eternalblue. The malware is also controlled through the anonymous Tor network, to receive further commands from its creators.
But as seen in the malicious code software there was also a kill switch in the form of a kill switch domain.
What does this mean in simple words? When malware detects that there is a specific domain, it stops infections. This domain was created (registered) earlier today by a researcher, who observed the dot-com in the reverse-engineered binary. When registration was detected by malware, it immediately stopped distributing ransomware, and its worldwide spread.
Links to the magical domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com are routed to a server in California, and managers of infected systems that arrive at the domain will be alerted, the researcher says.
"Οι διευθύνσεις IP έχουν σταλεί στο FBI και το ShadowServer, έτσι οι οργανισμοί που επηρεάζονται θα πρέπει να λάβουν σύντομα μια ειδοποίηση", δήλωσε ο ερευνητής, ο οποίος παραδέχτηκε ότι πρώτα καταχώρησε το domain, και μετά συνειδητοποίησε ότι ήταν ένα kill switch.
Here are some quick links to many more technical details that we have collected:
The Cisco Talos Team analyzed the malicious software, describing its components.
A decrypted sample of malicious software there is.
A exploit for MS17-010 written in Python with an example shellcode. It is based on NSA's stolen Eternalblue tool developed by infosec RiskSense. Reveals that the SMB server error is the result of a buffer overflow in Microsoft's code.
You can track infections in real time, from here. There are at least 104.000 recognized infected hosts worldwide.