The guy who stopped it wasn't anonymous for long. He tweeted about how tabloids doxed his friends and blackmailed them to get his address, phone number etc. He said it was the worst experience of his life
It was supposed to make it harder to analyze, the idea being that in a quarantined machine, registering the domain within the quarantine would kill the sample. Unfortunately for the hacker, the guy analyzing it did not have his sample quarantined.
Can we discuss for a moment that our hero was doxed by british tabloids? Real shitty way to treat someone who prevented extreme infrastructure damages.
Anyone that cared about the anonymous guy's identity could've looked up who's the owner of the domain... Yeah it's shitty they didn't respect his wish. But it's not like it was that hard to find his identity either, since it was basically public.
That surprises you? News media - and tabloids in particular - would sell their own mother for a few readers more. Though the public isn't blameless. For years - or even decades, "serious" news outletts have strugled to make a buck with waining subscriptions. The level of journalism has droped as readers flock to "free" ad-based formats that use click-bait sensationalism to generate traffic. The reasons for this development are many and complex, so I won't go further into detail (hell, I think I could make a plausible argument for how the modern economy - and the industry in particular - is in part to be blamed for this).
I remember when WannaCry hit, I was doing contracted dev work for Telefonica, and they were a real pain to deal with. Got the week off work, 10/10 would recommend.
Here's the thing though, when software companies consistently release patches or updates that make the software worse for end users, like adding more advertising, placing additional restrictions, changing UI, or generaly pushing unwanted "features" (I'm looking at you, Skype), I can't say I totally blame people for being reluctant to update.
Blabla130 especially the old trick with Microsoft hiding a windows 10 pop-up ad generator in a windows 7 security update and they lied about it until someone showed a demonstration on TH-cam and posted it to Microsoft's forums
Lesson learned: always update your OS and if you're using XP this was a harsh lesson :) I bet Microsoft is going to make more money than the "Hackers" by selling a lot of Windows 10
Should the DoD pay for any damages from Chinese and other militaries that are able to copy or make use of US designs? Or should we stop building to air crafts? Every other country gets advantages of snooping on other countries. Unless you want to cripple our military, empower enemies who still use spies, etc. the NSA should be allowed to keep looking into technical weaknesses to exploit. Because if you're willing to shoot artillery shells at our enemies and potentially have guns fall into hands of our enemies, why not allow our military to use cyber weapons? Otherwise, just ban the use of m16's then because they'll fall into the hands of bad guys too much.
Why should they pay for it? If you see a gun on the street and you don’t take/use it, would it be your fault? No could you prevent it? Yes! Do you have to? No, you owe nobody something
"Having a kill switch is an amateur mistake": Viruses are usually things you have no control over, releasing a virus is a risk for your own computer as well.
Boberdown Annon Also, "internet files that decrypt as long as you haven't reboot". Not only does that sounds suspicious but also completely useless because WannaCry encrypted files are 100% unrecoverable and you MUST reboot in order to activate Safe Mode to remove WannaCry.
@@RKthehedgehog no, the encryption keys are stored in memory, they fetch that from memory and rely on the fact that it is still there, you don't know what your talking about
Windows is nothing but spyware, the NSA is massively ineffective, and now they're actually creating security risks. This is what having a bloated military budget does for you.
This has already probably been said, but the prevailing theory on why the kill switch domain was in the code was to make it harder for people to analyse the virus. A general practice in malware analysis is to put the virus in an environment where it cannot do much harm or get out. These environments also usually just respond to any requests the program makes with fake data, so it thinks it is getting out but it is not. The kill switch worked by the thought that if it gets anything back from the fake website, it must be due to it being studied. Obviously this did not work as planned, but that at least says what they wanted to do.
Ryaji-San thats the therory, the thing is the best practice for that is for the malware to generate a completely random url(a random string of characters has almost no chance of being used), the environment that the malware is trying to figure out if it is specifically is a virtual machine, the reason being is that it is much easier to study and view what it does, get memory snapshots ect... one of the common things vm's do is reply that a domain is registered when it isn't since its just forwarding agent to the real computer, other common practices for finding out if you are in a vm or protecting from study is if the cpu is less then or equal to 2 and stop running or just armoring the malware, using memory obfuscation, code obfuscation, messing with the memory table so that memory snapshots can not be analyzed, the list goes on....
Wolfe Galvin I mean, I don't see how it could get out of hand, it's purpose is to spread as much as possible. So getting huge and fast is kind of the point.
Wolfe Galvin it can't be known if thats why, but if so they would normally use C&C servers to do such things, you are already breaking the law and blackmailing people, why would you care
Ryaji-San yep, thats basically the point of this stuff, and if they wanted to stop it or update the malware they would just send patches from the command and control server like most malware does
XP wasn't among the infected computers, the only confirmed infections of XP was researchers infecting it by hand. Windows 7 was the main infected OS. As for the "kill switch" it's most likely a sandbox detection thing, not a killswitch, but it was badly implemented.
The killswitch exists because in a lot of virtual machines unregistered domain names will return an IP address (and unused local network IP address) so it is used as a method of detecting if the malware has infected a VM system, which is usually not worth encrypting for ransom.
Randall Stephens Hence the part where he mentioned there was no reliable way to get files back to those ransomed and many infected that paid did not see restoration.
True, but that's not such an odd assumption; past ransomware attacks typically have resulted in people's files getting decrypted upon payment. Why the hackers bothered is frankly beyond me, but it does make the fact they didn't bother with WannaCry at least slightly notable.
I'm 25th! I'm so happy I wannacry edit: by 25th I meant 25th comment btw but I appreciate the birthday well wishes. I'll try to remember them when I turn 25.
For anyone wondering, the suspected reason for the inclusion of a killswitch was an attempt to delay people trying to crack Wannacry's code. From what I have read, when the virus is loaded into a simulator, the gibberish URL would read as registered and then immediately pull out of that system so that the virus could not be "tested". However, since they hardcoded the URL, it was much simpler to just register that URL so that it would keep pulling out of any system it infects.
SheosMan117 information trading is one of the oldest and most lucrative business to ever exist. And shadow broker is a cool af name but also kind of teenage edgy
I was reading on Ars Technica that Xp wasn't an infection vector for the attack because in XP the attack on the SMB caused the system to crash before the files could be encrypted. This overwhelmingly affected windows 7. 10 was never vulnerable to the SMB issue afaik.
It was actually not entirely true. The number of Windows XP computers affected by WCry was very very low. It would simply BSOD on them. The bulk of affected computers were running Windows 7 x64 bit.
To be honest, the only reason I don't update is because sometimes new things are added and maybe new filters on the screen or something is added which I don't want and can't remove. So updating to protect myself from a virus is not worth it if my computer is going to be near unusable in the first place.
The kill switch system makes sense. They can set up a their local networks to lead to a 'intranet' page whenever that URL is entered from within it. They might have been scared of accidentally infecting themself
Wannacry was actually somewhat kind to people. They were like in 6 moths they will have an event where you can get your files back if your to poor to buy them back.
I recently had an IT interview with the NHS, they assured me that it was impossible to hack their systems - I didn't get the job, but I came away laughing at them, not their patients who were the ones who really suffered.
my windows 7 PC has a windows 10 ad generator that snuck in with a security update my laptop with windows 10 is full of microsoft spyware because i wont pay $900 for the enterprise version why does the enterprise version of wndows 10 have no ads, no spyware and being able to set updates to manual installation but the home and pro version are both loaded with spyware and ads in addition to the auto restart to install updates (even if you are using the computer)
If the NSA used the exploit, then when it was leaked why didn't they use their resources and update all the machines vulnerable. It's a national agency, they do unconstitutional stuff all the time anyway.
Without a warrant they generally don't look into your computer, even with a warrant that's the FBI's job usually. NSA is far more concerned about the computer traffic in Russia and the middle east and how to exploit North Korean nuclear test equipment/computers than they are about your porn collection.
I think you mean to say the citizens can't trust their own government. Munashiimaru, the nsa datamines anything they can get, without a warrant, cause they're never held accountable for it.
The hospital I work in didn't get infected as we use Windows 7 but we shut everything down as a precaution, that caused chaos as we're one of a few NHS trusts to be completely electronic. The hospital I worked in last year got infected as they use operating systems/programs from the late 80's/early 90's in some instances!
The kill switch was a misguided attempt at slowing down analysis. The environments we use would respond to that request, so they used this to tip the program off to the fact that it was being studied.
The kill switch was probably a way for the malware to detect if it was being studied in a lab. This is quite common, malware writers often try to make it so that their malware will behave differently when it is being studied (ie, debugging software, virtual machines etc).
Mass overhauling an os for a large scale is actually incredibly difficult, because doing it all at once can often leave the whole system down and needing to replace large amounts of things all at once and it takes out the operations for way too long. If trying to do it in parts, the parts of the system are usually interconnected, so taking one part offline to change it basically wrecks anything adjacent that relies on it. We had this issue in a big store chain i worked at. Our inventory system was incredibly inefficient and relied solely on human knowledge. We carried a large array of things from just about everywhere, our inventory was different every single day. And i dont just mean season to season, we basically had no set inventory, think thrift store. So if you needed info on an item, you had to call someone who just knew roughly where it belonged to check the prices. People basically generally knew what types of things we carried and what the price was likely to be and how to estimate one if needed. You gained that knowledge simply by working there long enough to get a feel for how we did things. Obviously this was incredibly inefficient and reliant on competent workers. But to overhaul it would have meant changing absolutely everything. The way we sort, how we scan, all our equipment. It was possible to set it up as automatic for sure, but for an extremely busy store in a worldwide company the effort would have been enormous. Basically they decided that having an inefficient human powered system was still cheaper and less hassle than overhauling it. That's the thing, just because there is a better option, doesn't mean its actually more suited. If all you need is to work with word documents, using a supercomputer isnt actually more useful than an old beat lappy. Yeah, you could make dog leashes out of kevlar sting, but nylon is more than enough. In factories many processes could be done by robots, but they still hire just a ton of people to do rote repetitive tiny work, because, especially for smaller orders its STILL cheaper to just pay people to basically just be a biomechanical arm. Upgrading to win 10 when xp is already doing exactly what you need is a waste of time and resources. Unfortunately stuff like this pops up occasionally.
I blame: 1. All of the companies full of technologically-literate white-collar employees who are trusted to make decisions worth thousands or millions of dollars every year, but aren't given administrator privileges on their computers and need to spend 2 hours arranging for an IT guy to do a 5-minute task. 2. All of the companies who would rather bear the cost of their employees being half as productive than bear the cost of new computers every once in awhile. I know what Hank said about the hospitals, but sometimes they're already using the software on the newest OS, but drag their feet on getting all employees up to speed.
The kill switch was far from a amateur mistake. It was designed so that when the malware was being studied in a computer laboratory to find out how it worked the worm would instantly realise it was being studied and immediately terminate all of its processes
Microsoft actually did release a patch for Windows XP to fix the SMB bug, which kind of surprised all of us in the IT field. But there was a bug in the WannaCry code that actually stopped it from being able to infect XP. Also the theory about the kill switch is that it was put there in order to help the Malware detect if it was in a sand box, which would mean a security researcher was testing it. Their mistake was to not just randomize the domain name it checks (ie random characters with a .com on the end).
I'm pretty sure I've only not heard of this because I don't use windows, one main reason is that it's just like "ok, time to update, I'm closing your stuff, bye, see ya in an hour or two!" And you can't stop it
In MARCH, Microsoft released a patch. Vast majority of machines infected by WannaCry, were Windows 7 machines still supported by Microsoft. Why is it, people seem to think avoiding patches is a game? Every major computer outbreak in recent times it's the same story, a patch to fix the hole/bug/exploit was released months if not years before the major exploit of it. We've gotten to the point you can no longer blame the software, it's the space between the keyboard and the chair that's the problem. (The User) To the argument a patch breaking your software, I'd rather deal with a scheduled software break than an unscheduled software attack.
In all cybersecurity, the user is the weakest link that one has to work around. Remember that an entire political campaign for President of the United States was sunk by a virus that a 14-year-old could make because the user was technologically illiterate.
As Hank said, all the MRI machines and other such things needed specific software to run and upgrading would cost time and money and require re-calibrating which would've added long waiting times. And the Government didn't give enough funding to NHS IT departments which is so desperately needed.
The "Kill switch" was only used as a way to determine whether it was sandboxed. A sand boxing application would have returned something to the program, so it didn't get suspicious. However, knowing that it was a garbage URL, wannacry would stop in it's tracks, because it would know it was sand boxed. It wasn't a kill switch, but a clever tactic to see if it was running on a live system or sand boxed.
There are a few problems with this video. Windows 10 was never in danger. The exploit didn't exist on Windows 10. Also, a security patch (the first in 3 years) was released for Windows XP, despite being out of support. WannaCrypt affected Windows XP, 7, 8, and the related server versions, all of which have now received patches (assuming the update has been installed).
For those trying to understand why the attackers built a kill switch - Its basically an anti-analysis mechanism where by the malware kills/deletes itself before a security researcher can get access to its code in a sandbox environment. The sandbox environment is designed to intercept communication between the malware and any internet address. This is done to figure out what exactly is the malware communicating with that internet address even if the address doesn't exist in the real world. Basically once a malware gets into a system there are two things that can happen: 1) Its a normal computer. It tries to reach a non existing address and if the malware doesn't get a response as expected, it assumes its safe to operate and wreaks havoc 2) Its a researchers sandbox. It tries to reach a non existing address but the sandbox responds to the malware's probe hoping to snoop in on the communication. The malware expecting no response from this address but receiving one makes it realize its on a security researcher's sandbox so it deletes itself before the researcher can gets his hands on it to reverse engineer and disable/release a patch for it.
let me cleat something - in the industry nobody cares about the latest OS if it is practically the same and doesn't bring any benefit for the money paid. the lasers in our factory will forever run on XP, because there is no point in updating it. the software runs perfectly, so why bother?!
4:03 "It's not clear" - no, actually it's well known why. This is done to detect if you are running in a virtualized environment(maybe a research team analyzes the application), if it is, then you disable the functionality so it is not detected. Actually it was not only 1 domain, there were multiple.
The thought of some guy in London dicking around with a virus to see what would happen and then accidentally stopping the damn thing is so funny to me.
To be clear, wcrypt spread through SMB1, the first iteration of SMB that was created in like the late 80s or something, and isn't used by "lots of people all the time", but rather "Few people and companies, even though they shouldn't". Regardless the port used by SMB1 is kept open in all versions of Windows just to keep those few people happy so here we are.
Hey there, SciShow! I have a personal request for the topic of cerebral aneurysms! I experienced a rupture when I 19 and the suddenness and severity of them would make for a good informative video for the public! Thank you!
porteal Windows is very user friendly and has a lot of software (including security related) supporting it. The larger problem is the OS version. Problem is, older, use-specific hardware such as ATMs, MRIs, gas station pumps even, are often built to be able to run the most recent OS at that time. When it was new, as long as these machines stayed up-to-date, they were secure. When they didn't have the ability (such as processing power) to upgrade, and the OS became outdated is when they became vulnerable. Unfortunately, this is unlikely to change. Products are often built to serve a current function, not a possible future one, to save costs. The best option is just to keep important information backed up.
The kill switch was added to check if the malware was run on a simulated network (this is a technique often used in virtual environments by malware analysts to emulate network traffic without actually having to let the malware wander around the internet)
This is NOT TRUE. The NHS was not up and running again within a day of the attack. Staff were sent home for days after because they could not work on the computers.
At my dad's hospital (he works in IT, and is married to an IG manager) they shut down all of the computers, so they couldn't be infected, but then they still couldn't access the data...
I thought the point of the killswitch domain was so that the virus could tell whether it was running in a sandboxed environment. If it was running on a security researcher's computer and checked to see if the domain was registered, it would come back positive inside the sandbox and the virus wouldn't install, but in the real world, the gibberish domain was intended to remain unregistered so the virus would spread.
Tang Nhat you don't know that there are many exploit for linux, just because it doesn't leak meaning it is safe. it's NSA exploit with slight modification. linux run on servers so if that code leaks, surely the black hats will modified that code too.
When you wrote "it's NSA exploit" did you mean "it's NSA prebuiltin backdoor"? Because thats what it looks like. Surely linux has exploits, but mostly in third party packages (such as samba).
Why would you use wine for SMB? Wine is being used very limited if at all. Unix already has as good general software selection as windows, so you will need wine only in very marginal cases.
@equivalent most 'free' software developed for linux and other unix OSes are extremely amateurished though. Most professional software is only available for windows and/or mac
Supposedly the kill switch is there to defeat people from studying the virus in virtual machines. In a virtual machine, all domains will appear to exist, so if the program checks for a domain that *shouldn't* exist and it comes back positive, it can tell it's in a virtual machine and stop working so it can't be studied. It's a nifty idea but easily defeated once figured out.
The reason the kill switch was implemented was to prevent testers from experimenting and containing WannaCry. Typically, when trying to see how a virus works, it is placed in an isolated computer environment that is set to automatically answer any request an infected computer would make to the internet. If you try to test WannaCry, it trys to get a response from that bogus url. If it gets a response, it knows it is in a test environment, shuts down, and tries to delete itself. When that person registered that domain and put a server on it that responded to WannaCry, the ransomware destroyed itself.
You're right, it's only the fact everything the NSA did was blown wide open, Obama did nothing, and didn't pardon Snowden or any other leakers that came forward.
Hearing people describe Obama's presidency as "scandal-free" is always hilarious to me, as between his agencies running amok and the mishandling of crises like the 2008 crash, a lot of stuff is being ignored to make that claim.
Registering the domain was not exactly a signal. When WannaCry attacks a computer, it refers to a certain domain address to see if it is up. If the domain is running, the virus is still inside the computer, it just doesn’t encrypt the file system
5:00 this was the first time we have tangible evidence that a law enforcement agency colluded with a private company to include a weakness in software plenty of people don't have a choice to not use.
One of the reasons people have been avoiding Microsoft updates is because the company has developed a nasty habit of putting "telemetry" tools in them, and not telling users just what information is being sent back to the company (outside of vague terms like "keystrokes"). Not to mention Win10's grouped updates that have gone so far as to brick some systems.
Would upping your recording frame rate help with green screen artifacts? You could still upload with 30fps, or whatever your default is, but when removing the green screen, you would have less motion blur...
The "kill switch" was probably a last resort effort if the virus started causing major damage to systems they didn't want it to actually mess with. For example: the files that contained all the encryption keys.
It's possible that the "kill switch" is actually intended to detect if it's a VM - a VM may still report the website even if it wasn't registered, so in that case, it doesn't activate specifically to confuse security researchers trying to run it in a sandbox to figure out how it worked.
I'm late to watching this video, but I just wanted to comment and say thank you for the explanation that was easy to understand. I don't know much about computers, but you explained this in a way that I could grasp.
The "killswitch" domain is a pattern used to bypass virus scans. Simply put, it's a way for the virus to know if it is executed by a sandbox (antivirus) or the OS itself. If it's a sandbox (antivirus), the virus doesn't activate and thus, bypasses it.
The guy who stopped it wasn't anonymous for long. He tweeted about how tabloids doxed his friends and blackmailed them to get his address, phone number etc. He said it was the worst experience of his life
Jebus Gaming Journalism at it's finest.
Do you know his twitter?
Tabloid owners and journalists should be shot lol
Justin Craig I know this is hella late but doxing someone means to release someone’s personal information without their consent
@@idkidk8884 his name is Marcus Hutchins
adding that kill switch is like mad scientist putting a big self destruct button on a giant evil robot
It was supposed to make it harder to analyze, the idea being that in a quarantined machine, registering the domain within the quarantine would kill the sample. Unfortunately for the hacker, the guy analyzing it did not have his sample quarantined.
And the button is in its foot
phineas and ferb anyone?
god dammit I was going to make a comment on that phineas and ferb reference but you people beat me to it :U
Doofinshmertiz
"Cyber-security whack-a-mole." Made my night.
There are many ways in which cybersecurity is a game of Whack-a-Mole.
823 likes WOW!
You'd be surprised how often that sort of thing pops up in computer science as a whole.
Shadow *BROKERS*
Definitely not English speaking.. so maybe Russian.
kill-a-viris
Can we discuss for a moment that our hero was doxed by british tabloids? Real shitty way to treat someone who prevented extreme infrastructure damages.
Anyone that cared about the anonymous guy's identity could've looked up who's the owner of the domain... Yeah it's shitty they didn't respect his wish. But it's not like it was that hard to find his identity either, since it was basically public.
That surprises you? News media - and tabloids in particular - would sell their own mother for a few readers more.
Though the public isn't blameless. For years - or even decades, "serious" news outletts have strugled to make a buck with waining subscriptions. The level of journalism has droped as readers flock to "free" ad-based formats that use click-bait sensationalism to generate traffic.
The reasons for this development are many and complex, so I won't go further into detail (hell, I think I could make a plausible argument for how the modern economy - and the industry in particular - is in part to be blamed for this).
Bird_Dog it can be dumbed down to
Subscription news- accurate but directly costs users
Ad based- grumpy little chucks who will do anything for views
They didn't "Just look him up", they blackmailed several people he was familiar with to get all the information they could on him.
Whether you can find it easily or not doesn't mean it's alright to write an article and publish it for all to see.
Microsoft should have said in the update "NSA did a goof, now there's a gaping hole in your security and this update fixes it."
Agreed.
Or just made it force you to update.
I remember when WannaCry hit, I was doing contracted dev work for Telefonica, and they were a real pain to deal with. Got the week off work, 10/10 would recommend.
love this.
Here's the thing though, when software companies consistently release patches or updates that make the software worse for end users, like adding more advertising, placing additional restrictions, changing UI, or generaly pushing unwanted "features" (I'm looking at you, Skype), I can't say I totally blame people for being reluctant to update.
"This is like SKYPE, every time they fix something, SOMETHING ELSE BREAKS!" -Kiandymundi (I totally understand skype's gone down hill :/)
i remember a skype update that was so bad that it was just using up 90% of my CPU for no reason.
Blabla130 then advice companies to use Unix software i use ubuntu and for all the years that I do i never had problems with any computer.
You can opt to install only security updates.
Blabla130
especially the old trick with Microsoft hiding a windows 10 pop-up ad generator in a windows 7 security update and they lied about it until someone showed a demonstration on TH-cam and posted it to Microsoft's forums
"What operating system does it use?"
"It's... erm... Vista!"
"WE'RE GOING TO DIE!"
It crowd?
Yessir
Just want to say this....Love you scishow :)
Sara Huang army!
Lesson learned: always update your OS and if you're using XP this was a harsh lesson :) I bet Microsoft is going to make more money than the "Hackers" by selling a lot of Windows 10
Bassam N plot twist: Microsoft was behind it all along.
John too.
Microsoft released a patch on march so they are definitely not behind it
Seems obvious to me that NSA should pay for this, and then some. Teach them to snoop around.
Shameless Jack snooping kind of is the nsas job
USA should pay for it.
Should the DoD pay for any damages from Chinese and other militaries that are able to copy or make use of US designs? Or should we stop building to air crafts?
Every other country gets advantages of snooping on other countries. Unless you want to cripple our military, empower enemies who still use spies, etc. the NSA should be allowed to keep looking into technical weaknesses to exploit. Because if you're willing to shoot artillery shells at our enemies and potentially have guns fall into hands of our enemies, why not allow our military to use cyber weapons?
Otherwise, just ban the use of m16's then because they'll fall into the hands of bad guys too much.
I think I we should have the hackers heads on a stick, they're the ones who remade it into a virus.
Why should they pay for it? If you see a gun on the street and you don’t take/use it, would it be your fault? No
could you prevent it? Yes!
Do you have to? No, you owe nobody something
"Having a kill switch is an amateur mistake": Viruses are usually things you have no control over, releasing a virus is a risk for your own computer as well.
Or, was it Microsoft saying "Hey, Update or else!!!"
Boberdown Annon Also, "internet files that decrypt as long as you haven't reboot". Not only does that sounds suspicious but also completely useless because WannaCry encrypted files are 100% unrecoverable and you MUST reboot in order to activate Safe Mode to remove WannaCry.
Subaru? Do you work for Microsoft you seem to know alot about computers
@@RKthehedgehog no, the encryption keys are stored in memory, they fetch that from memory and rely on the fact that it is still there, you don't know what your talking about
@@universenerdd we have the same pfp what a chance
the vast majority of affected users were using Windows 7
Windows is nothing but spyware, the NSA is massively ineffective, and now they're actually creating security risks. This is what having a bloated military budget does for you.
Yes, unpatched Windows 7.
Correct - I've heard multiple people say (fb friends who do IR) that it's hard to get xp infected before it crashes.
I really think (a week after the attack) something this simple should've been caught pretty early in the writing process.
Glad I stopped using it lol
This has already probably been said, but the prevailing theory on why the kill switch domain was in the code was to make it harder for people to analyse the virus. A general practice in malware analysis is to put the virus in an environment where it cannot do much harm or get out. These environments also usually just respond to any requests the program makes with fake data, so it thinks it is getting out but it is not. The kill switch worked by the thought that if it gets anything back from the fake website, it must be due to it being studied. Obviously this did not work as planned, but that at least says what they wanted to do.
Ryaji-San thats the therory, the thing is the best practice for that is for the malware to generate a completely random url(a random string of characters has almost no chance of being used),
the environment that the malware is trying to figure out if it is specifically is a virtual machine, the reason being is that it is much easier to study and view what it does, get memory snapshots ect...
one of the common things vm's do is reply that a domain is registered when it isn't since its just forwarding agent to the real computer,
other common practices for finding out if you are in a vm or protecting from study is if the cpu is less then or equal to 2 and stop running or just armoring the malware, using memory obfuscation, code obfuscation, messing with the memory table so that memory snapshots can not be analyzed, the list goes on....
or maybe they have a killswitch just so that it can be stopped incase things really got outa hand.
Wolfe Galvin I mean, I don't see how it could get out of hand, it's purpose is to spread as much as possible. So getting huge and fast is kind of the point.
Wolfe Galvin it can't be known if thats why, but if so they would normally use C&C servers to do such things, you are already breaking the law and blackmailing people, why would you care
Ryaji-San yep, thats basically the point of this stuff, and if they wanted to stop it or update the malware they would just send patches from the command and control server like most malware does
XP wasn't among the infected computers, the only confirmed infections of XP was researchers infecting it by hand. Windows 7 was the main infected OS.
As for the "kill switch" it's most likely a sandbox detection thing, not a killswitch, but it was badly implemented.
The killswitch exists because in a lot of virtual machines unregistered domain names will return an IP address (and unused local network IP address) so it is used as a method of detecting if the malware has infected a VM system, which is usually not worth encrypting for ransom.
I love the portrayal of the ransom payment system here--it assumes the hacker actually intended to restore anyone's files after they paid.
Randall Stephens Hence the part where he mentioned there was no reliable way to get files back to those ransomed and many infected that paid did not see restoration.
True, but that's not such an odd assumption; past ransomware attacks typically have resulted in people's files getting decrypted upon payment. Why the hackers bothered is frankly beyond me, but it does make the fact they didn't bother with WannaCry at least slightly notable.
Robert Faber probably to give people a reason to actually pay up
Becaise they might consider making more ransomware. If you don't provide decryption your first hit will also be your last.
what I was gonna say
And I just clicked "later" on an update as this video was starting 😂
I'm 25th! I'm so happy I wannacry
edit: by 25th I meant 25th comment btw but I appreciate the birthday well wishes. I'll try to remember them when I turn 25.
BeoJack 👏
BeoJack kk
BeoJack happy birthday 🎂
BeoJack I get that joke
[iX]smasher Well then, you must be smart.
For anyone wondering, the suspected reason for the inclusion of a killswitch was an attempt to delay people trying to crack Wannacry's code. From what I have read, when the virus is loaded into a simulator, the gibberish URL would read as registered and then immediately pull out of that system so that the virus could not be "tested". However, since they hardcoded the URL, it was much simpler to just register that URL so that it would keep pulling out of any system it infects.
Wait, Shadow Brokers? You mean, Mass Effect's most infamous information trader is real?
They wish they were that cool.
Well, they serve a very important purpose. I think they're much cooler than fictional orginazations if they're doing the same things IRL.
SheosMan117 information trading is one of the oldest and most lucrative business to ever exist. And shadow broker is a cool af name but also kind of teenage edgy
DEEPKNOWERS
DARKSEERS
NIGHTSNOOPERS
well, it IS just a title passed down
Shadow brokers? Didn't know we were in Mass Effect 2.
seems like wanna cry was a distraction, but could've been something a lot more... troublesome.
Sleepy Drifter A distraction from what though?
I doubt it, it should be a wake up call to everyone. People need to realize that the NSA isn't making them safer, it's putting them at risk.
EternalRocks looks to be harmless.
www.bleepingcomputer.com/news/security/author-of-eternalrocks-smb-worm-calls-it-quits-after-intense-media-coverage
Heh, this incident only shows that something simillar may be happening right now. And we don't know it yet.
I was reading on Ars Technica that Xp wasn't an infection vector for the attack because in XP the attack on the SMB caused the system to crash before the files could be encrypted. This overwhelmingly affected windows 7. 10 was never vulnerable to the SMB issue afaik.
It was actually not entirely true. The number of Windows XP computers affected by WCry was very very low. It would simply BSOD on them. The bulk of affected computers were running Windows 7 x64 bit.
it is well known why the "kill switch" existed - for vm detection ...and the hackers made $0 from the attack because the bitcions are NOT anonymous
To be honest, the only reason I don't update is because sometimes new things are added and maybe new filters on the screen or something is added which I don't want and can't remove. So updating to protect myself from a virus is not worth it if my computer is going to be near unusable in the first place.
Who knew having my PC disconnected saved me from this ransomware
I always update and backup almost everything I have on my PC.
Gotta keep my memes safe!
A small hospital near me had to pay the ransom (something like $40,000 USD) because they had no backups they had no choice but to pay
The kill switch system makes sense. They can set up a their local networks to lead to a 'intranet' page whenever that URL is entered from within it. They might have been scared of accidentally infecting themself
Thank you, SciShow, for reminding me to update my backups. I'll have to get on that tomorrow.
did you update them yet?
did you do it ?? we would like to know !!
Lol, it seems like everyone forgets Win8. Still my favorite operating system. After a few slight mods, it runs way better than 7 or 10.
But why will you use windows on server?
What does Apple use for their servers?
WHAT ABOUT WIN 7?
Wannacry was actually somewhat kind to people. They were like in 6 moths they will have an event where you can get your files back if your to poor to buy them back.
thx for another gr8 vid john green
You mean hank green?
aaron silvera thats the joke
I recently had an IT interview with the NHS, they assured me that it was impossible to hack their systems - I didn't get the job, but I came away laughing at them, not their patients who were the ones who really suffered.
I wouldn't mind updating if Microsoft didn't hide windows 10 ad generators or spyware programs in the updates
my windows 7 PC has a windows 10 ad generator that snuck in with a security update
my laptop with windows 10 is full of microsoft spyware because i wont pay $900 for the enterprise version
why does the enterprise version of wndows 10 have no ads, no spyware and being able to set updates to manual installation but the home and pro version are both loaded with spyware and ads in addition to the auto restart to install updates (even if you are using the computer)
0:49 backups do 999999999999 damage to ransomware
Plot twist: SciShow launched the attack just to make this video.
Watched many videos on the WannaCry attack but this one is the best and concise video available on the whole youtube!
If the NSA used the exploit, then when it was leaked why didn't they use their resources and update all the machines vulnerable. It's a national agency, they do unconstitutional stuff all the time anyway.
NSA's job is to gather intelligence on foreign countries not make sure you're keeping your operating system up to date.
Because the government can't trust it's own citizens.
Without a warrant they generally don't look into your computer, even with a warrant that's the FBI's job usually. NSA is far more concerned about the computer traffic in Russia and the middle east and how to exploit North Korean nuclear test equipment/computers than they are about your porn collection.
Red Star Linux was a disaster, they probably have a foothold in that already.
I think you mean to say the citizens can't trust their own government.
Munashiimaru, the nsa datamines anything they can get, without a warrant, cause they're never held accountable for it.
I’m a computer gamer...
Who just happened to not be on my computer for 80% of 2017. Including those days.
Wow. Soooo lucky.
"Haha take that Windows" said apple looking for its lost 300 dollar earpods
The hospital I work in didn't get infected as we use Windows 7 but we shut everything down as a precaution, that caused chaos as we're one of a few NHS trusts to be completely electronic. The hospital I worked in last year got infected as they use operating systems/programs from the late 80's/early 90's in some instances!
Maybe this was a test?...
Glorval MacGlorvas
Nah. Just a lucky hacker group in Russia that had no clue how to manage ransomware.
why purposely put in a kill switch though? Seems odd. Not that they forgot to remove a kill switch, they **put in** a kill switch
Exactly why I think it was a test, they wouldve included the kill switch to turn it off if it got out of hand.
wouldnt the test getting out of hand BE what they want?
The kill switch was a misguided attempt at slowing down analysis. The environments we use would respond to that request, so they used this to tip the program off to the fact that it was being studied.
The kill switch was probably a way for the malware to detect if it was being studied in a lab. This is quite common, malware writers often try to make it so that their malware will behave differently when it is being studied (ie, debugging software, virtual machines etc).
shadow brokers? Mass Effect, anyone?
Well I’m never gonna skip another update again
Windows updates tend to break the OS. I'm never eager to update. EVER.
Mass overhauling an os for a large scale is actually incredibly difficult, because doing it all at once can often leave the whole system down and needing to replace large amounts of things all at once and it takes out the operations for way too long. If trying to do it in parts, the parts of the system are usually interconnected, so taking one part offline to change it basically wrecks anything adjacent that relies on it. We had this issue in a big store chain i worked at. Our inventory system was incredibly inefficient and relied solely on human knowledge. We carried a large array of things from just about everywhere, our inventory was different every single day. And i dont just mean season to season, we basically had no set inventory, think thrift store. So if you needed info on an item, you had to call someone who just knew roughly where it belonged to check the prices. People basically generally knew what types of things we carried and what the price was likely to be and how to estimate one if needed. You gained that knowledge simply by working there long enough to get a feel for how we did things. Obviously this was incredibly inefficient and reliant on competent workers. But to overhaul it would have meant changing absolutely everything. The way we sort, how we scan, all our equipment. It was possible to set it up as automatic for sure, but for an extremely busy store in a worldwide company the effort would have been enormous. Basically they decided that having an inefficient human powered system was still cheaper and less hassle than overhauling it.
That's the thing, just because there is a better option, doesn't mean its actually more suited. If all you need is to work with word documents, using a supercomputer isnt actually more useful than an old beat lappy. Yeah, you could make dog leashes out of kevlar sting, but nylon is more than enough. In factories many processes could be done by robots, but they still hire just a ton of people to do rote repetitive tiny work, because, especially for smaller orders its STILL cheaper to just pay people to basically just be a biomechanical arm. Upgrading to win 10 when xp is already doing exactly what you need is a waste of time and resources. Unfortunately stuff like this pops up occasionally.
And this is a clear example of why businesses should update there systems.
I blame:
1. All of the companies full of technologically-literate white-collar employees who are trusted to make decisions worth thousands or millions of dollars every year, but aren't given administrator privileges on their computers and need to spend 2 hours arranging for an IT guy to do a 5-minute task.
2. All of the companies who would rather bear the cost of their employees being half as productive than bear the cost of new computers every once in awhile. I know what Hank said about the hospitals, but sometimes they're already using the software on the newest OS, but drag their feet on getting all employees up to speed.
The kill switch was far from a amateur mistake. It was designed so that when the malware was being studied in a computer laboratory to find out how it worked the worm would instantly realise it was being studied and immediately terminate all of its processes
Microsoft actually did release a patch for Windows XP to fix the SMB bug, which kind of surprised all of us in the IT field. But there was a bug in the WannaCry code that actually stopped it from being able to infect XP.
Also the theory about the kill switch is that it was put there in order to help the Malware detect if it was in a sand box, which would mean a security researcher was testing it. Their mistake was to not just randomize the domain name it checks (ie random characters with a .com on the end).
2:19 bruh
I'm pretty sure I've only not heard of this because I don't use windows, one main reason is that it's just like "ok, time to update, I'm closing your stuff, bye, see ya in an hour or two!" And you can't stop it
In MARCH, Microsoft released a patch. Vast majority of machines infected by WannaCry, were Windows 7 machines still supported by Microsoft.
Why is it, people seem to think avoiding patches is a game? Every major computer outbreak in recent times it's the same story, a patch to fix the hole/bug/exploit was released months if not years before the major exploit of it. We've gotten to the point you can no longer blame the software, it's the space between the keyboard and the chair that's the problem. (The User)
To the argument a patch breaking your software, I'd rather deal with a scheduled software break than an unscheduled software attack.
In all cybersecurity, the user is the weakest link that one has to work around. Remember that an entire political campaign for President of the United States was sunk by a virus that a 14-year-old could make because the user was technologically illiterate.
As Hank said, all the MRI machines and other such things needed specific software to run and upgrading would cost time and money and require re-calibrating which would've added long waiting times. And the Government didn't give enough funding to NHS IT departments which is so desperately needed.
We should be mad at the NSA
The "Kill switch" was only used as a way to determine whether it was sandboxed. A sand boxing application would have returned something to the program, so it didn't get suspicious. However, knowing that it was a garbage URL, wannacry would stop in it's tracks, because it would know it was sand boxed. It wasn't a kill switch, but a clever tactic to see if it was running on a live system or sand boxed.
There are a few problems with this video. Windows 10 was never in danger. The exploit didn't exist on Windows 10. Also, a security patch (the first in 3 years) was released for Windows XP, despite being out of support. WannaCrypt affected Windows XP, 7, 8, and the related server versions, all of which have now received patches (assuming the update has been installed).
I see you listed the patch for XP later in the video, after saying there was no support for Windows XP earlier in the video. Oops.
WannaCry having a kill switch is like every cartoon supervillain with a self-destruct button on their creations.
3:19 You're welcome in advance.
For those trying to understand why the attackers built a kill switch - Its basically an anti-analysis mechanism where by the malware kills/deletes itself before a security researcher can get access to its code in a sandbox environment. The sandbox environment is designed to intercept communication between the malware and any internet address. This is done to figure out what exactly is the malware communicating with that internet address even if the address doesn't exist in the real world.
Basically once a malware gets into a system there are two things that can happen:
1) Its a normal computer. It tries to reach a non existing address and if the malware doesn't get a response as expected, it assumes its safe to operate and wreaks havoc
2) Its a researchers sandbox. It tries to reach a non existing address but the sandbox responds to the malware's probe hoping to snoop in on the communication. The malware expecting no response from this address but receiving one makes it realize its on a security researcher's sandbox so it deletes itself before the researcher can gets his hands on it to reverse engineer and disable/release a patch for it.
let me cleat something - in the industry nobody cares about the latest OS if it is practically the same and doesn't bring any benefit for the money paid. the lasers in our factory will forever run on XP, because there is no point in updating it. the software runs perfectly, so why bother?!
4:03 "It's not clear" - no, actually it's well known why. This is done to detect if you are running in a virtualized environment(maybe a research team analyzes the application), if it is, then you disable the functionality so it is not detected. Actually it was not only 1 domain, there were multiple.
they still havent released a patch for window 95 im pissed.
The thought of some guy in London dicking around with a virus to see what would happen and then accidentally stopping the damn thing is so funny to me.
Young Brit girl: "I'm on me mum's computer...v-room v-room."
Her mum: "Get off me computer!"
Young girl: "Awwww."
um
Um
Um
To be clear, wcrypt spread through SMB1, the first iteration of SMB that was created in like the late 80s or something, and isn't used by "lots of people all the time", but rather "Few people and companies, even though they shouldn't". Regardless the port used by SMB1 is kept open in all versions of Windows just to keep those few people happy so here we are.
Hey there, SciShow! I have a personal request for the topic of cerebral aneurysms! I experienced a rupture when I 19 and the suddenness and severity of them would make for a good informative video for the public! Thank you!
"As long as you haven't rebooted your computer", that's very useful.
hospitals need to get their computers off of windows
porteal Windows is very user friendly and has a lot of software (including security related) supporting it. The larger problem is the OS version. Problem is, older, use-specific hardware such as ATMs, MRIs, gas station pumps even, are often built to be able to run the most recent OS at that time. When it was new, as long as these machines stayed up-to-date, they were secure. When they didn't have the ability (such as processing power) to upgrade, and the OS became outdated is when they became vulnerable.
Unfortunately, this is unlikely to change. Products are often built to serve a current function, not a possible future one, to save costs. The best option is just to keep important information backed up.
The kill switch was added to check if the malware was run on a simulated network (this is a technique often used in virtual environments by malware analysts to emulate network traffic without actually having to let the malware wander around the internet)
This is NOT TRUE. The NHS was not up and running again within a day of the attack. Staff were sent home for days after because they could not work on the computers.
At my dad's hospital (he works in IT, and is married to an IG manager) they shut down all of the computers, so they couldn't be infected, but then they still couldn't access the data...
did hank say 'only' about $100,000 that's more than some people make in 2 years
Joshua Peacock Relativity.
I thought the point of the killswitch domain was so that the virus could tell whether it was running in a sandboxed environment. If it was running on a security researcher's computer and checked to see if the domain was registered, it would come back positive inside the sandbox and the virus wouldn't install, but in the real world, the gibberish domain was intended to remain unregistered so the virus would spread.
That URL kill switch was a bait. This was just round one. Prepare for the second wave.
Kai Widman 2018... still waiting
ill just be extra careful
I'm responding almost a year later, and nothing yet...
Kai Widman
Been over a year.. So...
Man im really curious to see what happends next.
I think a lot if not most ppl don't realize most updates you get, java, windows, adobe, etc. are specifically to patch security holes.
*[overeager conspiracy theorist voice]* So NSA did WannaCry. Got it.
"As long as you didn't reboot your computer"??? BRUH, that's like the first thing I always do! XD
Nope.
Lesson from this story is "Install those Leenuux and never revert to shitty proprietary OS'es again".
Tang Nhat you don't know that there are many exploit for linux, just because it doesn't leak meaning it is safe. it's NSA exploit with slight modification. linux run on servers so if that code leaks, surely the black hats will modified that code too.
When you wrote "it's NSA exploit" did you mean "it's NSA prebuiltin backdoor"? Because thats what it looks like.
Surely linux has exploits, but mostly in third party packages (such as samba).
Computer scientists: The solution to viruses?
Kiddo: Vaccin-
Computer scientists: Antivirus
I used Linux.
I do not use wine x) but true fact I guess?
Why would you use wine for SMB?
Wine is being used very limited if at all. Unix already has as good general software selection as windows, so you will need wine only in very marginal cases.
@equivalent most 'free' software developed for linux and other unix OSes are extremely amateurished though. Most professional software is only available for windows and/or mac
Supposedly the kill switch is there to defeat people from studying the virus in virtual machines. In a virtual machine, all domains will appear to exist, so if the program checks for a domain that *shouldn't* exist and it comes back positive, it can tell it's in a virtual machine and stop working so it can't be studied. It's a nifty idea but easily defeated once figured out.
My girlfriend ransomware. I wannacry
The reason the kill switch was implemented was to prevent testers from experimenting and containing WannaCry. Typically, when trying to see how a virus works, it is placed in an isolated computer environment that is set to automatically answer any request an infected computer would make to the internet. If you try to test WannaCry, it trys to get a response from that bogus url. If it gets a response, it knows it is in a test environment, shuts down, and tries to delete itself. When that person registered that domain and put a server on it that responded to WannaCry, the ransomware destroyed itself.
NSA triggered it due to what they were allowed to do while Obama knowingly stood by and let them loose. Thanks, Obama!
The Creep you're right, no presidents before him helped them ^^
You're right, it's only the fact everything the NSA did was blown wide open, Obama did nothing, and didn't pardon Snowden or any other leakers that came forward.
Hearing people describe Obama's presidency as "scandal-free" is always hilarious to me, as between his agencies running amok and the mishandling of crises like the 2008 crash, a lot of stuff is being ignored to make that claim.
Nick Johnson man, if only we cared. Pretty sure no one here mentioned obama being "scandal free"
Registering the domain was not exactly a signal. When WannaCry attacks a computer, it refers to a certain domain address to see if it is up. If the domain is running, the virus is still inside the computer, it just doesn’t encrypt the file system
That's why I love my MacBook.
Mohammed thats why i don't have a pc
saving up for vaio white laptop.
Just need 400 monei
Wizard Cat and you can buy *lazy to do math* of those 4$ phones
Because you like a childproof operating system
Mohammed it's not immune
Mohammed and I have my linux.
5:00 this was the first time we have tangible evidence that a law enforcement agency colluded with a private company to include a weakness in software plenty of people don't have a choice to not use.
Or, here's a thing, don't use a crappy OS
You'd think the NSA would be held accountable for their blunder.
One of the reasons people have been avoiding Microsoft updates is because the company has developed a nasty habit of putting "telemetry" tools in them, and not telling users just what information is being sent back to the company (outside of vague terms like "keystrokes"). Not to mention Win10's grouped updates that have gone so far as to brick some systems.
Maybe WannaCry didn't want to make that much damage... maybe they were just trying to teach us all a very important lesson in a VERY effective manner.
Would upping your recording frame rate help with green screen artifacts? You could still upload with 30fps, or whatever your default is, but when removing the green screen, you would have less motion blur...
The "kill switch" was probably a last resort effort if the virus started causing major damage to systems they didn't want it to actually mess with. For example: the files that contained all the encryption keys.
It's possible that the "kill switch" is actually intended to detect if it's a VM - a VM may still report the website even if it wasn't registered, so in that case, it doesn't activate specifically to confuse security researchers trying to run it in a sandbox to figure out how it worked.
I'm late to watching this video, but I just wanted to comment and say thank you for the explanation that was easy to understand. I don't know much about computers, but you explained this in a way that I could grasp.
The "killswitch" domain is a pattern used to bypass virus scans. Simply put, it's a way for the virus to know if it is executed by a sandbox (antivirus) or the OS itself. If it's a sandbox (antivirus), the virus doesn't activate and thus, bypasses it.