MalwareTech found the kill switch for WannaCrypt too.

https://www.theguardian.com/technology/2017/may/13/accidenta...

https://twitter.com/MalwareTechBlog/status/86318710471668531...

https://twitter.com/MalwareTechBlog/status/86318907784311603...

This sounds like something straight out of a James Bond movie.

That was a dumb move by the malware coder ;)

Wouldn't you want to hide a kill switch?

The MalwareTech write up gives a plausible reason for the developer having accidentally added the kill switch: > I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis.

MalwareTech wrote a blog about it: https://www.malwaretech.com/2017/05/how-to-accidentally-stop...

I don't understand. What exactly do the live map points represents and where does the data come from?

Wow, that's pretty amazing work!

How is he able to add new supernodes to the cluster? I would expect a supernode to have some sort of credentials that are used for authentication. If not, isn't it possible to neutralize the botnet by overloading it with supernodes that don't send malicious commands?

According to his initial explanation - "In a peer to peer botnet, bots which can receive incoming connections act as servers (called supernodes)."

So in some cases the only requirement for a node to be a supernode is that it can receive incoming connections. I take this to mean that any computer that is 1. infected with the botnet program, 2. can receive incoming connections, becomes a supernode. Under those circumstances there's no need to reverse engineer the botnet program, all you have to do is set up a vulnerable computer, allow it to be compromised and infected becoming a supernode; then monitor the traffic of incoming connections.

He later mentions that supernodes can be filtered based on "age, online time, latency, or trust." This tells me that certain botnets do have a level of trust that is defined in each peer list.

I believe your last question refers to the concept of sinkholing or blackholing. These methods have been used by the FBI to take down botnets through DNS hijacking, I think.

>To ensure the entire network is discovered, we should start the crawler off with multiple supernode IPs and store all IPs found into a database, then each time we restart the crawler we seed it with the list of IPs found during the previous crawler; repeating this process for a couple of hours ensure all online nodes are found.

This would just discover supernodes though right? Or any node at some point broadcasts as a supernode?

Yes to your first question, no to your second. He goes on to explain that, "In order to map all workers, we’d need to set up multiple supernodes across the botnet which log incoming connections (obviously every worker doesn’t connect to every supernode at the same time, so it’s important that our supernodes have a stronger presence in the botnet)."

From what I understand the process is:

1. Write a program to pretend to be a compromised peer requesting a connection to a Supernode in order to obtain a peer list of other Supernodes.

2. Recursively crawl for existing Supernodes + the list of Supernode IPs. Store all addresses found.

3. Set up one or more Supernodes and 'infiltrate' the peer list of already established Supernodes. Log incoming connections from Workers.

http://whatis.techtarget.com/definition/botnet-sinkhole

That's amazing, thanks for the link.

Are we watching this thing wake up right now?

We are seeing new requests from existing bots, the historical data is not shown on this map.

Gotcha. So yeah, we're seeing it wake up. The first little increase (up to 600) was about the time the article was published.

Where are you seeing this? This isn't historical data.

Here's a page with more info

https://intel.malwaretech.com/botnet/wcrypt

Yeah it scrolls off to the left. So you came an hour after my comment and it was gone. Heck it was almost gone by my second comment.

If so, that is both scary and exciting.

it took me a while to realize this is live....

I am curious. How is this tracked? What signature or what component are they looking for to be able to say "Yeah, here is another one"?

I'm just curious and would like someone with more experience to weigh in.

EDIT: To add on further to my question, I wonder why it does not use a terrain / city / province overlay instead of all black? It seems it would be much more useful to us network and sysadmins out there just in case we realized "Oh, hey that dot is right on top of where we work out of. I should probably fire up WireShark or something and test for infected systems."

Great info. So, for the layman. How vulnerable are users behind a firewall or broadband router?

Pretty safe until a machine in the network gets infected. The first infection comes from a phishing email or similar. From then on, the worm infects other machines connected to the same network, but usually not across the internet.

It uses a vulnerability in a protocol that's used for network sharing, and that's usually blocked at your router

What is the significance of the time span indicators? Does the 1M selection indicate how many computers remain infected or how many that were infected within that time span?

Your point?