05-15-2017 07:31 AM - edited 05-15-2017 07:33 AM
Why Palo is not sinkholing DNS queries to the kill switch URLs? Currently if I run a DNS lookup request for the kill switch URL, it come back with the valid DNS response. shouldn't this be sinkholed?
When the guy "accidentally" found the kill switch, I thought, Palo would be able to do this as well. But alas, it didn't and still hasn't yet, I guess there must be an reason behind this, anyone knows why?
05-15-2017 07:50 AM
The kill switch works when the malware is able to reach out to the killswitch domain. If you block/sinkhole/prevent access to that, then the malware will do its thing and encrypt/ransom your data.
05-15-2017 07:42 AM
Hi @Fengrui,
Palo Alto Networks customers are protected from WanaCrypt0r ransomware through multiple complementary prevention controls across our Next-Generation Security Platform. Please refer to the following post for more details :
Cheers !
-Kiwi
05-15-2017 07:50 AM
The kill switch works when the malware is able to reach out to the killswitch domain. If you block/sinkhole/prevent access to that, then the malware will do its thing and encrypt/ransom your data.
05-15-2017 07:59 AM
@jvalentine, I think if you sinkhole the the killswitch domain, then the malware will exit and do nothing? As it thinks being analysed in a sandbox environment? That's my understanding how the killswitch worked. You can't block it though.
@kiwi, for DNS sinkhole to work, the domain/URL have to be regarded malicious by palo to start with, and it seems this is not the case yet, we have DNS sinkhole configured in our environment, I'd expect the DNS query internally to the killswitch domain would come back with the sinkhole bogus IP, however it didn't.
05-15-2017 08:13 AM
@Fengrui according to this article, if the killswitch domain is accessible, the malware will halt.
05-15-2017 08:18 AM
cool, this is great, thanks @jvalentine, this explains why Palo is not sinkholing the DNS request.
@kiwi, the article you mentioned probably needs updating, DNS sinkholing in itself is very useful and effective, however in this specific case, looks like it's not being used.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
