Didier Stevens

Saturday 13 May 2017

Quickpost: WannaCry Killswitch Check Is Not Proxy Aware

Filed under: Malware,Quickpost — Didier Stevens @ 11:54

It looks like #WannaCry’s killswitch check (www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) is not proxy aware:

Organizations that use proxies will not benefit from the killswitch.

Sample: 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec

I have not tested this in a VM. If someone has, please post a comment with your findings.

Update: I did test the sample, it is not proxy aware. In an environment with an HTTP proxy and no direct connections to the Internet, the sample can not connect to www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, and it will infect the host.

If I patch the sample to make it proxy aware, it can connect to the site through the proxy, and it does not infect the host.


Quickpost info


34 Comments »

  1. […] Didier Stevens points out, the kill switch is NOT proxy aware. Won’t work for companies that have a […]

    Pingback by WannaCry's Accidental Hero — Saturday 13 May 2017 @ 12:49

  2. […] ransomware que ignore ese check, esto ya no servirá para nada. Igualmente en las últimas horas otros investigadores están asegurando que este kill-switch podría no tener efecto en entornos que salieran a internet […]

    Pingback by Descubierto por casualidad el kill-switch que también ayuda a frenar a WannaCrypt - NoticiasDeHacking — Saturday 13 May 2017 @ 15:56

  3. Could always set the domain as a local exception in IE then create the domain as zone in your local DNS and point the www A record to a locally hosted IIS/Apache instance….

    Comment by Smarties11 — Saturday 13 May 2017 @ 16:22

  4. A work-around for the lack of proxy awareness is setting up resolution for the domain on local DNS servers and pointing it to a local web server so that the WannaCry malware killswitch check works.

    Comment by Mike — Saturday 13 May 2017 @ 17:09

  5. Seems the malware does not terminate – I can see hits on the internal web server from same IP’s so it tries from time to time to reach the domain.

    Comment by /\ — Saturday 13 May 2017 @ 21:36

  6. The sample I checked terminates immediately after a successful connection to the sinkholed domain.

    Comment by Didier Stevens — Saturday 13 May 2017 @ 21:44

  7. Have you maybe observed how it behaves after the encryption is done and red ransom screen appeared ? Maybe it than also tries to connect and does not terminate. As for now cannot check at which stage those hosts are. Thanks.

    Comment by /\ — Saturday 13 May 2017 @ 21:54

  8. Have not waited for the ransom screen. But from the disassembled code, I know the connection to the sinkholed domain is only attempted in first phase of infection.

    Comment by Didier Stevens — Saturday 13 May 2017 @ 21:57

  9. […] a proxy to access the Internet, which is the case on the majority of corporate networks. Thanks to Didier Stevens for spotting what was missed by […]

    Pingback by The worm that spreads WanaCrypt0r – All-Latest-News — Sunday 14 May 2017 @ 2:22

  10. […] Didier Stevens: Quickpost: WannaCry Killswitch Check Is Not Proxy Aware (via @GossiTheDog / […]

    Pingback by Froschs Blog: » Im Netz aufgefischt #316 — Sunday 14 May 2017 @ 11:25

  11. […] Didier Stevens – Quickpost: WannaCry Killswitch Check Is Not Proxy Aware […]

    Pingback by Week 19 – 2017 – This Week In 4n6 — Sunday 14 May 2017 @ 11:42

  12. […] se ha logrado comprobar (verificado por Malwarebyte), el código dentro de WannaCry que comprueba si el dominio que sirve […]

    Pingback by WannaCry sigue atacando a un número particular de víctimas — Sunday 14 May 2017 @ 14:45

  13. Thanks Didier, do you know what would happen if the connection to the domain was successful but returned an error 404 ?

    Thanks !

    Comment by Guillaume — Monday 15 May 2017 @ 1:48

  14. Just tested on my vm with no internet connection and it does encrypt the files and infect the system.

    Comment by Kunal — Monday 15 May 2017 @ 2:37

  15. […] On 13 May, it was reported that wcry, before starting its encryption process, attempts to connect to a seemingly random domain name (www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com). If this domain can be contacted, the malware stops its operations. This is most likely a kill-switch that was built in, but not effectively used, as the domain name had not been registered by the attackers. It has been registered by security researches in the meantime, hindering the ransomware’s advance. NVISO’s analyst Didier Stevens published a quickpost on the killswitch here. […]

    Pingback by Wcry ransomware – Additional analysis | NVISO LABS – blog — Monday 15 May 2017 @ 6:26

  16. […] the activation of the “kill switch” does NOT mean that WannaCry is no longer a danger.  Didier Stevens quickly spotted that the attempt to visit the URL will fail if the compromised machine accesses the […]

    Pingback by WannaCry’s Kill Switch won’t work for proxy users. Patch now. – — Monday 15 May 2017 @ 11:56

  17. It will work for transparent proxies, if the client can resolve public DNS.

    Comment by Anonymous — Monday 15 May 2017 @ 13:56

  18. Yes Guillaume, I tested this today. It will work, as long as the webserver replies something to the client. More details in Update 1 on this blogpost: https://blog.nviso.be/2017/05/15/wcry-ransomware-additional-analysis/

    Comment by Didier Stevens — Monday 15 May 2017 @ 14:44

  19. I think that for transparent proxies, you can also configure it without the client resolving public DNS. At least, not having to return a public IP.

    Comment by Didier Stevens — Monday 15 May 2017 @ 14:46

  20. does that apply for a proxy using domain auth without the pc passing an explicit user name and password

    Comment by HomerJ. — Monday 15 May 2017 @ 22:41

  21. […] Notice from the above code that WannaCry is not proxy aware (check here for details). […]

    Pingback by The WannaCry journey from a SOC point of view – internal sinkholing of killswitch servers – Scubarda — Tuesday 16 May 2017 @ 5:36

  22. […] aber auch nicht, denn der „Killswitch“ funktioniert nur, wenn die Domain direkt und nicht über einen Proxy erreichbar ist. Denn eigentlich handelt es sich gar nicht um einen „Killswitch“, […]

    Pingback by WannaCry - die Ransomware erklärt — Tuesday 16 May 2017 @ 6:48

  23. […] aber auch nicht, denn der „Killswitch“ funktioniert nur, wenn die Domain direkt und nicht über einen Proxy erreichbar ist. Denn eigentlich handelt es sich gar nicht um einen „Killswitch“, […]

    Pingback by WannaCry – die Ransomware erklärt - zend-framework.net — Tuesday 16 May 2017 @ 6:52

  24. The code is not proxy-aware: it will not use a proxy, even if one is configured on the client.

    Comment by Didier Stevens — Tuesday 16 May 2017 @ 8:57

  25. […] comme le souligne Didier Stevens, le système d’autodestruction NE prend PAS en charge les proxies. Il ne fonctionnera donc pas pour les entreprises qui ont un […]

    Pingback by Attaque massive par ransomware : ce que vous devez savoir — Tuesday 16 May 2017 @ 20:18

  26. Is it looking for something on the page ?. Can I just DNS poison and point it to a local web listener ?

    Comment by AC — Tuesday 16 May 2017 @ 23:00

  27. […] Notice from the above code that WannaCry is not proxy aware (check here for details). […]

    Pingback by WannaCry – Jithin's blog — Wednesday 17 May 2017 @ 11:17

  28. No, it does not check the reply.

    Comment by Didier Stevens — Wednesday 17 May 2017 @ 17:39

  29. Does pointing the domain to a web server that shows a 403 Access denied error working?

    Comment by Jean-Paul — Thursday 18 May 2017 @ 1:37

  30. @Jean-Paul Yes, formore information read update 1 I added to this blog post: https://blog.nviso.be/2017/05/15/wcry-ransomware-additional-analysis/

    Comment by Didier Stevens — Saturday 20 May 2017 @ 8:07

  31. […] Blog de Didier Stevens […]

    Pingback by WannaCry Analysis – Le ransom-worm qui sévit depuis 10 jours – mai 2017 | adrien pastor — Monday 22 May 2017 @ 14:12

  32. […] Quickpost: WannaCry Killswitch Check Is Not Proxy AwareQuickpost: WannaCry Killswitch Check Is Not P… […]

    Pingback by Overview of Content Published In May | Didier Stevens — Wednesday 7 June 2017 @ 0:15


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: