> After about 5 minutes the employee came back with the news that the registration of the domain had triggered the ransomware meaning we’d encrypted everyone’s files (don’t worry, this was later proven to not be the case), but it still caused quite a bit of panic. I contacted Kafeine about this and he linked me to the following freshly posted tweet made by ProofPoint researcher Darien Huss, who stated the opposite (that our registration of the domain had actually stopped the ransomware and prevent the spread).
That's quite an high abstraction level programming thing to do to use a domain name registration state as a boolean. Is that a regular thing ?
I believe the malware was designed to do that as part of a way to test and see if it's in a sandboxed environment if someone was trying to analyze it. If I understood this correctly, checking the domain was a way to do that (although I might be completely wrong).
It was explained quite clearly in the article. Sandboxed environments will generally have a catch all that replies to any IP requests with a sinkhole server. To prevent analysis, it'd do a lookup to a known unregistered domain and if it got back an IP address (which should not happen except in the sandbox with an unregistered domain) then it quits because it assumes it's sandboxed and being analyzed.
I still can't understand how the malware authors could be so smart (or, if not smart, at least competent enough to build ransomware from scratch, make it wormable with ETERNALBLUE, and launch a massive and effective spam campaign) and yet so stupid.
They could've achieved the same sandbox detection effect by just registering the domain and pointing it at 1.1.1.1 or whatever. The non-sandboxed connections would still fail, and no one else could take the domain.
I find it interesting that they didn't randomize a couple of long strings and tried to resolve those instead like the article mentioned has been done in the past
I would guess that a simple DNS/HTTP works just as well. In contrast checking for vmware processes or similar would probably result in a code signature that can be picked up much more easily by malware scanners.
All I understood was that you seemed unsure about the purpose of the domain check, so I pointed you in the right direction. Sorry if that came off as condescending.
It's a fairly regular thing. If you are a Google Chrome user, then your WWW browser has been doing much the same check, for fairly similar reasons (detecting whether it is running inside an environment where DNS service is being generally altered to redirect clients to a special server), for the past half decade.
Wow, now, let us imagine using aggregation of millions of states of human minds as a Boolean constant used in millions of scenarios for about four years straight.
That's quite an high abstraction level programming thing to do to use a domain name registration state as a boolean. Is that a regular thing ?