A 41-character .com domain was key to bringing down a malware campaign.
A ransomware attack based on an NSA tool spread like wildfire yesterday…until a researcher spent ten bucks to register a domain name.
A malware researcher discovered an unregistered domain name in the code of the malware and registered the domain name. Malware frequently points to unregistered domain names that it cycles through over time.
But in this case something weird happened when the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was registered. The malware stopped working.
So a $10 domain registration took down a nasty malware campaign for now.
While some people are calling this a “kill switch”, the unnamed researcher who registered the domain thinks it was actually inserted into the code to prevent further analysis of the malware if it was being analyzed in a sandbox environment.
The good news is the domain name registration halted the current campaign. The bad news is that someone will just change the code and start spreading it again. This means it’s imperative that owners of older Windows-based machines patch them immediately.
Let’s just hope the domain does not get disconnected because of using malicious contact info:
Registrant Name: Botnet Sinkhole
Registrant Street: Botnet Sinkhole
Registrant City: Los Angeles
Registrant State/Province: CA
Registrant Postal Code: 00000
Registrant Country: US
Registrant Phone: +0.00000000000
So even malware prefers dotcom
Joseph Peterson says
Interesting. I’d like to see a full-length article dilate on this sentence:
“Malware frequently points to unregistered domain names that it cycles through over time.”
Look for content on DGA, like this article: https://en.wikipedia.org/wiki/Domain_generation_algorithm .
Gerald Kauffman says
This malware domain was 40 characters long and unregistered does the length have any bearing on location in that environment. No wiz here just asking.