Yesterday's report of hardier Wcry retracted, but new versions found


Originally published at:


Note that despite the initial characterization of this domain check as a “killswitch” it is most likely not what it was intended as. It is more likely it is intended as a sandbox-detection mechanism.

Competent malware writers have previously implemented this strategy of using a randomly-generated domain name request to detect sandboxing and make analyzing the malware harder. The idea is that sandboxing, while preventing internet connections, will nevertheless answer all DNS and HTML GET requests to simulate functional Internet access. So if randomly-generated domain names return data, it is a sign of sandboxing. Those malware would normally generate random strings to use as domain names for this purpose.

But as has been said before, the author of this malware is not very competent, and instead of putting in a random-generator routine he generated a SINGLE domain name for this check. It may have been done for optimization reasons, making the malware smaller or faster. He hasn’t really caught on the fact this is a bad idea, and seemingly just changed this URL in the latest strains. It’s possible it’s generated at compile time, too, and that each new variation would have a new URL. Once he realizes it’s a bad idea, he’ll either remove this code or improve it and we’ll be screwed.


How would we tell the difference between:

a) not very competent

b) incremental stages of a larger attack


I see a flaw in logic in the second option - this malware relies on a lack of patch MS17-010 to spread on internal networks.

Organizations that had not put that patch in place - let’s just say that they just paid their IT folks a lot of overtime last weekend. Wannacry version 3 or 4 won’t have nearly the easy time spreading that version 1 did.


put that patch in place

Are there not several, possibly many, other under-patched vulnerabilities?

As long as the IT people were busy this weekend, I suppose multiple patches would have been installed. But one of the reasons this vulnerability existed was a reluctance to install patches that might impact performance, so maybe they only did the patch for this particular one.

And how long until new vulnerabilities are exposed?


Specifically under-patched, no-user-interaction-required, remote code execution vulnerabilities, for which a reliable exploit is available to the level of criminal who runs typical ransomware operations?

No, MS17-010 is the first one in quite a while.


first one in quite a while

My understanding is this attack was enabled by the recent release of advanced NSA hacking tools. Is it likely to be the only specific attack, or one of very few, that could be deployed by the “level of criminal”, (presumably “low”) behind WannaCrypt?

I’m sure I read today that some analysts believe it’s more likely the NSA tools will be used by national military and intelligence services as sort of a fake overt, but actually covert form of warfare. Simulating a “low level criminal” or other inept attacker seems like a great camouflage. Plausible? How could we tell the difference?


The NSA tools that were dumped in April were all for vulnerabilities that had been patched by then (in 2008, 2009, 2010, 2014, and just the previous month, March 2017). So, the one that was patched by MS17-010 was by far the most powerful one - a target that’s only a month or two behind patches, and it’s useful. With the others, your target had to be at least three years behind.


OK, that makes sense. I have one test machine I keep mostly un-updated as a control. The patch that was only for MS17-010 was quite small and updated in just a few seconds, plus a reboot. Is that how large IT departments would manage an emergency deployment like this?

Thanks for responding on this. I’m non-tech but interact with tech teams, and really trying to put the situation into perspective.


Probably? That’s assuming they have a good system for getting patches out to the systems under their purview. Some of the shops that were badly hit by this, probably were so because they just don’t have the capability to get the patch out (out of support OSes for which they don’t get patches, or many systems that aren’t enrolled in their patch management system, or no patch management system at all).

Assuming they were in a non-patched state for some reason other than simple inability to patch (e.g. they are veeerrrry cautious with patches, and the patch was somewhere in their quality control testing cycle, due to be installed next month assuming it made it through all twelve approval meetings) - then yes, on an emergency basis they might rush out the minimal patch only.


This topic was automatically closed after 5 days. New replies are no longer allowed.