An IoT botnet is trying to nuke Wcry's killswitch


Originally published at:


The question is whether this is the criminals, or whether it’s 4chan and co playing it for the lulz.

If it’s the criminals, that suggests they can’t engineer the switch out of the code.

I do hope, however, that on this occasion the Russian security services find out who is doing it, transfer them to that nice place on the side of Red Square, and tickle their toes till they repent. These people are really evil.


Large ISPs that provide DNS service to their broadband customers could probably tweak their DNS to have the sinkhole domain resolve to their corporate homepage, thus fulfilling the “active webserver at that FQDN” requirement needed to keep WannaCry dormant, and making it hard(er) to effectively DDoS the sinkhole.

The idea of ISPs unilaterally screwing with DNS to divert traffic doesn’t make me happy – it sets a bad precedent – but I bet some of them are doing it anyway for other reasons, so maybe that ship has already sailed.


The odds seem low that they’re the same group - which means someone is doing it for the lulz. (But the ransomware might also be for the lulz as well - analysis I’ve read suggests that there’s no mechanisms by which to decrypt the files in this case, so it might be just to cause mayhem.) Multiple someones need to be thrown into internet-free holes for the rest of their lives.


I was thinking something similar. Competent IT departments have the tools to take care of this with DNS internally. That said, competent IT departments shouldn’t be vulnerable to this worm. Not now, not when it first dropped.


Even if they were people doing it for the lulz, they’d still be extorting people. It’s a criminal act, whatever the intent.

Isn’t it more a question if it’s a criminal act or an act of cyberwarfare?


Yes, you’re right. I didn’t make myself clear, perhaps. What I meant was that there are a lot of sociopaths out there who are quite likely to worsen the situation. I wasn’t suggesting that was a lesser offence.
I don’t think it was warfare. Targeting the British NHS and the Russian government seems an odd combination. One of the problems we face is that online criminals are often stupid; it’s just too easy to deploy this stuff. I think they were after money but didn’t understand how it might spread. There are also conflicting accounts; it may be multiple attacks by different criminal gangs who bought a kit at around the same time.

But it’s criminal, and the DOS attacks are accessories. Catching them is the big problem.

Currently I’m updating the computers for a charity as fast as I can; all unpatched, all vulnerable. But at least I have all their essential data secured on two offsite backups, one of which is on write only media.


It’s kind of cool that news stories in 2017 sound like dialogue out of Ghost in the Shell. I mean, to look on the bright side, sort of…?


William Gibson is seeming pretty prescient at this point.


I always realized that cyberpunk was an essential genre to understand the world I’d be growing up in. Proved to be a good idea!


Yea, my guess is its the typical 13-year old sociopath. Capable of doing a huge amount of damage for the ‘lulz’, and unable to understand why they found it so amusing 10 years later.


I’ve said it before: everyone got excited about how the cyberpunk authors were technologically prescient. Almost no-one noticed how they were politically prescient.


If the original WCry creators are behind this that doesn’t necessarily imply they can’t remove the kill switch from their code. Maybe they just want to wake up millions of sleeping worms that are already installed.


on Star Trek, this is where they would do something creative with the deflector array.


I think it’s safe to say they can’t engineer it out of the code on already infected machines. As far as I know it would be very difficult to design a way to push updates out in a way that doesn’t risk exposing you as the source. Worms grow geometrically with the number of infected machines out there spreading the virus, so momentum is important and releasing a new version of the worm means starting again from scratch. It makes sense then if this is the original attackers, although it could also be trolls for all I know.

Yeah but if this is the sci-fi warfare of the future then there are disappointingly few lasers involved.


I still think we shouldn’t use the term warfare for anything cyber. Neither the term terrorism.

Even if state-sponsored or gouvernmental actors are behind hackings, DoS and the likes, I still think these are criminal acts, and need to be prosecuted by means which are well outside warfare.

I vividly remember the NATO Secretary General writing a strong op-ed statement for a militarization of the internet in a major economic news outlet I read the day before Edward Snowden came public in Hong Kong. I don’t buy into this newspeak: regardless of the criminal’s background, their intentions it is not war. I object to the broadening of the definition, as I fear the consequences.


Trump is a Stand-Alone Complex.


This kind of thing isn’t ‘targeted’ in any way, it’ll just hit vulnerable machines, wherever they might be.


Oh, I dunno… L. Bob Rife always struck me as a very likely possibility for the future of American “politics.”


thanks for clarifying that.

And they think they’re oh so clever hackers, too. Which only compounds the problem. [quote=“Enkita, post:7, topic:101293”]
Currently I’m updating the computers for a charity as fast as I can; all unpatched, all vulnerable. But at least I have all their essential data secured on two offsite backups, one of which is on write only media.

Good luck! You’re doing good work here. it’s too bad that groups like charities are often vulnerable to this kind of thing.