Didier Stevens

Saturday 13 May 2017

Quickpost: WannaCry Killswitch Check Is Not Proxy Aware

Filed under: Malware,Quickpost — Didier Stevens @ 11:54

It looks like #WannaCry’s killswitch check (www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) is not proxy aware:

Organizations that use proxies will not benefit from the killswitch.

Sample: 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec

I have not tested this in a VM. If someone has, please post a comment with your findings.

Update: I did test the sample, it is not proxy aware. In an environment with an HTTP proxy and no direct connections to the Internet, the sample can not connect to www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, and it will infect the host.

If I patch the sample to make it proxy aware, it can connect to the site through the proxy, and it does not infect the host.

Quickpost info

Update: re_search.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 10:41

When I used my re-search.py tool to extract Bitcoin addresses from the latest WCry samples, I found a small bug. This version is a bugfix (bug introduced in version 0.0.4).

re-search_V0_0_5.zip (https)
MD5: A03CBBA9F2C5900A368BC064D3CC3D00
SHA256: 940B12CA8E3ADCC0266BC788B5A7AE2C830115BDB9FC04C3A7A178FDD7D44F02

Blog at WordPress.com.