I was tracking Wannacrypt over the weekend and had an idea which I felt can be rolled out quickly. Listing it out as succinctly as possible:
- The killswitch is what it essentially hinges on. An unregistered domain in the code
- the encryption and further execution stops if the domain specified in code is resolved and a http connection established.
- the killswitch domainname in the wannacry code has changed which means sinkholing just one or two domain names will not work
- so what if we could resolve all unregistered domains to a honeypot.
- DNS by nature cannot be gamed to do this as it will cause havoc.
- Maxmind GeoIP has a domainame database
- write a small dns server drop in replacement which uses a local copy of this database
- the drop in dns server sits infront of actual organization dns server
- checks domain name in the maxmind db.
- if found in db lets request pass on to actual dns or replies
- if not found our drop in dns server replies with a honeypot IP
- honeypot IP is running a http server and allows the http connect
- http connect happens and killswitch is activated. Wannacrypt/wannacry stops execution
This can be dynamically configured by giving dns IP to our drop in application server. Later as dust settles further course of action can be decided.
Potential to provide clients with a solution that so far is not available. Effect on normal working of applications is nil. It can be explained to clients in an advisory.