All this code is doing is attempting to connect to the domain we registered: if the connection is not successful it ransoms the system; if it is successful the malware exits.
The reason that was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.
In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to. A side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).
I believe the malware creators were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox and the malware exits to prevent further analysis. This technique isn’t unprecedented: the Necurs trojan queries five totally random domains, and if they all return the same IP it exits.
However, because WannaCrypt used a single hardcoded domain, my registration of it caused all infections globally to believe they were inside a sandbox and exit... thus we unintentionally prevented the spread and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.
One thing that is very important to note is our sinkholing only stops this version of the ransomware, and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible.
Here is the detailed description of how the WannaCry attack was "accidentally" stopped.
The beauty of Bitcoin is not just its ability to anonymously and safely handle darknet market payments like ones demanded by now popular ransomware WannaCry. Another interesting feature of Bitcoin is its ability to provide everyone else with detailed information about the number and amount of those payments as Bitcoin Blockchain is available publicly. WannaCry's Bitcoin addresses are hardcoded, which is kind of stupid but entertaining.
Bitcoin anonymity ends when you need to convert this virtual currency to old good bucks. However, there are still some options available to resolve this issue. First, you can keep the virtual currency and use it on darknet markets. Second, there are special tools called anonimizers which can mix multiple addresses and transactions in order to launder Bitcoins.
Currently, there are about 32 bitcoints on those accounts which equals to ~ $55,000.
Here are the WannaCry Bitcoin accounts:
Any attempt to reanimate plastic card will eventually fail. This is "walking dead" payment technology, even if seasoned by hi-tech add-ones such as E-ink display or fingerprint reader.
Recently, I had a discussion about information security, and somebody asked me “how’s bitcoin actually related to information security?”
Here is how bitcoin is linked to information security.
First, bitcoin is an alternative payment system, which was created in order to resolve security problems of online payments, and theoretically can replace plastic cards everywhere, not just online. I hope everyone knows about security problems of payment card industry. If by any chance you don’t, read Hacking Point of Sale.
Second, bitcoin and its own security based on cryptography, which is one of the most important subjects of information security. If you want to know more about bitcoin cryptography - read Bitcoin for Nonmathematicians.
And finally, bitcoin is currently one of the main methods of payment on darknet marketplaces where bad guys sell results of bad information security: our stolen credit cards, medical records, bank accounts, etc. If you want to know more about darknet and data breaches… Well, perhaps I should start writing a book about it.
Here is the final cover design for my new Bitcoin book which will be released soon.
Apple Pay, one year later: Why mobile payments have failed to catch on as we're still looking for something better
This essay was previously published by City A.M. on December 17, 2015
Mobile payments became a hot topic just about the time when first iPhone was introduced by Steve Jobs in 2007. Back then experts in payment, retail, telecommunication, and banking industries started thinking about a smartphone as a viable alternative to physical wallets suggesting many different technologies, but no one knew how exactly the winner was going to look.
The only thing they knew for sure: traditional banks, payment brands (like Visa and MasterCard), and merchant payment processors (like First Data and Heartland) would remain indefeasible part of the business. The game rules were changed in 2008 when Satoshi Nakamoto (real identity is still unknown) published a short white paper called Bitcoin: A Peer-to-Peer Electronic Cash System.
The most important innovation of bitcoin is the fact that neither banks nor payment brands are necessary anymore in order to process secure and reliable electronic transactions between customers and merchants, both online and in store.
Merchant payment processors were put out of the equation as well; however, the industry realised that among other problems, bitcoin transaction processing time is too slow (at least 10 minutes) to compete in a brick-and-mortar merchant environment with plastic cards, which get approvals within milliseconds.
Some intermediary should still exist between merchants and blockchain in order to facilitate commercial-grade crypto payment processing, and so the gap was quickly filled by new payment processors specializing on blockchain technology, such as BitPay and Coinkite.
Finally, the breakthrough cryptocurrency was more or less adapted to harmful conditions of retail stores. But it still was not ready for mainstream, due to the lack of convenience which is required in order to win the battle against plastic cards.
Mobile phones were already used for in-store bitcoin transactions, but scanning a barcode from the point of sale display was not as elegant and simple as swiping or waving the plastic card.
So many people, myself included, were surprised when in 2014 Apple announced its Apple Pay.
Instead of creating anything revolutionary similar to blockchain, it fully relied on aging plastic cards and outdated systems behind the scenes: magnetic and chip & pin card technologies at least 30–50 years old.
The supercomplexity of existing payment infrastructure was increased by adding another superstructure, which inevitably lead to problems with reliability and security.
The formula is simple: the more complex is the system the more unreliable and insecure it becomes. We all know the truth about the “security” of plastic cards (think about mega breaches like Target).
Apple Pay uses some technical “tricks” to hide the card number and communicate it securely between the iPhone and the bank, but here is the problem:
Apple and other mobile payment solution providers such as Google and Samsung still “allow” us to keep those insecure magnetic stripe or chip & pin cards.
Consumers will continue using them because mobile payments are still not as common as plastics, merchants will continue accepting them, and while still waiting for better technology, we all together will be caught by next generation of card data breaches.
My article in City A.M. about mobile and crypto payments: Apple Pay, one year later: Why mobile payments have failed to catch on as we're still looking for something better
This essay was previously published by VentureBeat on December 13, 2015
When Apple Pay was first announced back in September 2014, I was very enthusiastic about it. Finally, a dream come true! Someone, and not just someone but the biggest company in the world, had come up with a new generation of payment technology that would combine mobile and biometric forces. The long chain of disappointments, however, started almost immediately.
First, it turned out that the “new technology” was nothing more than just a dexterous combination of our old, limping friends — plastic magnetic bank cards and EMV (EuroPay, MasterCard, Visa) chip cards — seasoned with shiny TouchId (which isn’t a new technology either, to be honest). Well, I thought, remembering the classics, maybe there is nothing new under the sun and Apple Pay isn’t an exception. At least it provided a more convenient way of payment than the older predecessors it imitated behind the scenes. So I patiently waited for the upgrade (not timed with either an iPhone or major iOS release) that would bring me Apple Pay.
While waiting for Apple Pay to arrive, I decided to learn more about the details of new technology. But it turned out that Apple hadn’t bothered to provide an exact technical description of Apple Pay components, which led to multiple speculations and concerns about its level of security. For example, it was unclear whether the actual card PAN (Primary Account Number) or its “scrambled” version was stored on the device.
Finally, Apple Pay arrived on October 20, 2014, and I managed to enter in one of my cards. It did not accept all of my plastics, however. In fact, it did not accept (and still doesn’t) the one I use for day-to-day grocery shopping. No matter, I rushed to the closest grocery store to impress myself and the cashier.
Unfortunately, the store’s payment terminal ignored all my attempts to wave the phone using various trajectories. The cashier asked me what I was trying to do. When I explained, she did not seem to understand. Finally, I pulled out my card, finished the transaction, and headed to another store, where I experienced the same situation. It turned out that most merchants didn’t — and still don’t — support Apple Pay. Eventually, I found one that did and managed to make my first Apple Payment. It worked surprisingly quickly and smoothly.
However, problems began with my second or third payment. My transaction was declined. A second attempt did not help. The cashier told me I didn’t have enough money in my account. Since it was actually a debit card behind the Apple Pay mask, I started worrying about my bank account: had it been hacked? Fortunately, since I could not use Apple Pay in most stores, I still carried my plastic cards with me. So I swiped a card through Apple Pay (the same card that had been declined just a minute earlier), and, lo and behold, it passed. I thought the mistake was an occasional glitch that Apple would soon fix. But when I tried to use Apple Pay several days later, the result was exactly the same. That was my last try. I didn’t want to explain to skeptical cashiers anymore that I did actually have money in my account.
Now I am even more convinced that systems like Apple Pay, Android Pay, and Samsung Pay, which just pretend to be new technology but in fact are complicated (and therefore unreliable) superstructures based on multiple old mechanisms, must eventually be superseded by completely new things. For example, Bitcoin or future cryptocurrency technology based on the Bitcoin concept but supported and enhanced by the banking and payment industries would be good candidates for universal payment systems for several reasons.
First, cryptocurrencies are open source protocols not linked to particular brands like Apple Pay or Android Pay, which makes them more attractive and accessible for everyone. Second, they are totally new, revolutionary technology compared to magnetic stripes and even EMV, which are already 30 – 50 years old (remember that most existing mobile payment solutions are still using plastic cards underneath their shiny modern facades).
Finally, Bitcoin, unlike plastic cards (and mobile payments!), is much more secure as it is based on strong cryptography and does not have a single point of failure in its implementation. At least in theory. But that is topic for separate discussion.
If you are not familiar with Tor yet you should learn about it. In a nutshell, Tor is a system for anonymous Internet browsing. You can install Tor software and browse the Internet anonymously. If you are using Tor along with Bitcoin, you can enjoy the Internet freedom and privacy.
This is Kickstarter project which is supposed to create the Tor hardware box. Anonabox should be more safe and convenient than Tor software as it routes all the traffic from your Ethernet connection through Tor network.