How WannaCry won the day
The recent WannaCry malware attack affected over two hundred thousand computers across more than 150 countries — encrypting users’ files and rendering them unusable.
The difference between WannaCry and many other cyber attacks is that it’s a form of ransomware. So, rather than stealing files, it locks them and displays a ‘ransom note’ demanding money to restore access.
This version made use of a patched vulnerability in Microsoft Windows Secure Message Block (SMB) protocol. Even worse, WannaCry is self-propagating so, after infecting a victim’s machine, it seeks other susceptible targets on which it can install itself — allowing it to spread autonomously.
Flicking the kill switch
Researchers discovered that the ransomware's programmers had encoded a ‘kill switch’, which effectively halted the propagation of the worm. After installing itself on a victim’s machine, the malware would query a given domain using the domain name system (DNS) and connect to the resolved IP address. If the domain resolved and the connection was available, the malware would cease operation.
The programmers apparently implemented this kill switch to evade forensic analysis, during which analysts install the malware within a controlled environment and scrutinise its operation. But the target domain was the undoing of WannaCry. When a researcher — known only as "MalwareTech" — registered the domain and webserver, the worm's propagation slowed to a trickle.
While the kill switch doesn't help devices already infected and locked down by WannaCry, it does hinder its spread. This bought time for users to patch systems that hadn’t already been infected.
Depending on DNS for security
The WannaCry kill switch has some interesting implications for DNS management on your network. It’s likely you’re running a DNS firewall to filter your domain queries on your DNS servers — detecting and mitigating malware infestations.
In most cases, you’d define DNS firewall policies to block certain DNS query responses, in order to prevent malware from connecting to ‘home base’ — the programmer's command and control centre for code updates and attack instructions.
In the case of a domain kill switch, however, you’d want the DNS query to pass through, so that the malware detects the existence of the domain. Such a pass-through policy within your DNS firewall enables the query to resolve successfully, allowing the malware to connect and desist from further action.
Fighting back with firewalls
The key benefit for a DNS firewall in this scenario is detection. The DNS firewall query that triggers the pass-through policy can be logged and reported — allowing you to identify and remediate the infected device. A DNS firewall is a critical ingredient in your network security strategy.
BT Diamond IP offers a DNS firewall service that gives you automatic updates of known malware and related nefarious domains for application of firewall policies. You can also customise your feed to your needs.
BT Diamond IP’s IP address management products support configuration of your DNS servers with DNS firewall functions via its web user interface for our Sapphire appliances — as well as stock ISC BIND servers you may already operate.
To find out more about how we can help you prevent another WannaCry meltdown, get in touch.