An IoT botnet is trying to nuke Wcry's killswitch

Whoever created the Wcry ransomware worm — which uses a leaked NSA cyberweapon to spread like wildfire — included a killswitch: newly infected systems check to see if a non-existent domain is active, and if it is, they fall dormant, ceasing their relentless propagation.


The killswitch could be a forgotten debugging feature or an attempt to determine whether the worm has infected a real PC or a security researcher's honeypot. Whatever the reason, the result was that by registering the killswitch domain and throwing a webserver up there, a security research was able to dramatically slow the worm.


But now that server is under punishing assault, thanks to a massive denial-of-service attack launched from infected Internet of Things devices that have been taken over by variants of the Mirai botnet that took out big chunks of the internet last year by compromising CCTVs, PVRs and other gadgets.

The attacks have peaked at 20Gb/s and are trending up. If they succeed, the dormant Wcry systems will come back to life and begin to spread again.


Since then, hackers have directed armies of zombie devices—webcams, modems, and other gadgets caught up in the expansive Mirai botnet—to funnel junk traffic to the kill-switch web address, also called a “sinkhole,” a site security researchers direct malware to in order to contain it. The presumed intention? Knock the domain offline, trigger some of WannaCry’s dormant infections to reactivate, and end the epidemic’s nearly week-long lull.

“Pretty much as soon as it went public what had happened, one of the Mirai botnets started on the sinkhole,” says Marcus Hutchins, the British security researcher who registered the WannaCry kill-switch domain. Since then, he says, near-daily attacks from that first botnet and others built with the same Mirai malware have steadily ticked up in size and impact.

If the DDOS assault did succeed, not all WannaCry infections would immediately reignite. The ransomware stops scanning for new victims 24 hours after installing itself on a computer, says Matt Olney, a security researcher with Cisco’s Talos team. But any time one of those infected machines reboots, it starts scanning again. “The ones that were successfully encrypted are in this zombie state where they’re waiting to be reactivated if that domain goes away,” says Olney.

Hackers Are Trying to Reignite WannaCry With Non-Stop Botnet Attacks [Andy Greenberg/Wired]