topic Re: WannaCry - Kill Switch & DNS sinkholing in General Topics

WannaCry - Kill Switch & DNS sinkholing

Fengrui — Mon, 15 May 2017 14:33:31 GMT

Why Palo is not sinkholing DNS queries to the kill switch URLs? Currently if I run a DNS lookup request for the kill switch URL, it come back with the valid DNS response. shouldn't this be sinkholed?

When the guy "accidentally" found the kill switch, I thought, Palo would be able to do this as well. But alas, it didn't and still hasn't yet, I guess there must be an reason behind this, anyone knows why?

Re: WannaCry - Kill Switch & DNS sinkholing

kiwi — Mon, 15 May 2017 14:42:34 GMT

Hi @Fengrui,

Palo Alto Networks customers are protected from WanaCrypt0r ransomware through multiple complementary prevention controls across our Next-Generation Security Platform. Please refer to the following post for more details :

http://researchcenter.paloaltonetworks.com/2017/05/palo-alto-networks-protections-wanacrypt0r-attacks/

Cheers !

-Kiwi

Re: WannaCry - Kill Switch & DNS sinkholing

jvalentine — Mon, 15 May 2017 14:50:13 GMT

The kill switch works when the malware is able to reach out to the killswitch domain. If you block/sinkhole/prevent access to that, then the malware will do its thing and encrypt/ransom your data.

Re: WannaCry - Kill Switch & DNS sinkholing

Fengrui — Mon, 15 May 2017 14:59:53 GMT

@jvalentine, I think if you sinkhole the the killswitch domain, then the malware will exit and do nothing? As it thinks being analysed in a sandbox environment? That's my understanding how the killswitch worked. You can't block it though.

@kiwi, for DNS sinkhole to work, the domain/URL have to be regarded malicious by palo to start with, and it seems this is not the case yet, we have DNS sinkhole configured in our environment, I'd expect the DNS query internally to the killswitch domain would come back with the sinkhole bogus IP, however it didn't.

Re: WannaCry - Kill Switch & DNS sinkholing

jvalentine — Mon, 15 May 2017 15:13:28 GMT

@Fengrui according to this article, if the killswitch domain is accessible, the malware will halt.

- https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

Re: WannaCry - Kill Switch & DNS sinkholing

Fengrui — Mon, 15 May 2017 15:18:28 GMT

cool, this is great, thanks @jvalentine, this explains why Palo is not sinkholing the DNS request.

@kiwi, the article you mentioned probably needs updating, DNS sinkholing in itself is very useful and effective, however in this specific case, looks like it's not being used.