Vulnerabilities / Threats

10:00 AM
Marta Janus
Marta Janus
Connect Directly
E-Mail vvv

Kill Switches, Vaccines & Everything in Between

The language can be a bit fuzzy at times, but there are real differences between the various ways of disabling malware.

The concept of malware kill switches hit the mainstream in May, when a now-controversial figure in the cybersecurity community managed to halt the spread of WannaCry by registering a domain contained in the ransomware's propagation payload. However, there is still some confusion about what warrants the term "kill switch" and what doesn't. When talking about self-disabling mechanisms in malware, it's important to first distinguish between actual kill switches and so-called "vaccines."

What Constitutes a True Kill Switch?
A kill switch is designed to stop malware from spreading, remove malware and traces of malicious activity from the system, or shut down the command and control infrastructure. These kill switches might be implemented for many reasons. Most often, they serve as a quick way out for attackers in case things go wrong. In the case of something like an eavesdropping campaign, the attackers may use a kill switch to cease their activities and cover their tracks once they've obtained the information they need. These kill switches are fully intentional and provide a level of protection that benefits the attackers, even if there is a possibility of "white hat" researchers using these mechanisms to disrupt malicious campaigns.

A kill switch might also be intentionally implemented during the testing phase of highly spreadable malware. If the attackers were to spot a premature outbreak, they could stop it before it became broadly noticed while continuing to work on developing the malware. Embedding kill switches inside the malware body is not a common practice and usually occurs in more sophisticated examples.

Vaccines are quite different from kill switches in implementation and purpose. A vaccine is basically a technique that can prevent particular malware from infecting a particular system. Such a technique might involve creating a file in a specific location with a specific name and attributes, or creating specific registry keys, values, or system mutexes (that is, programming objects used to share resources between multiple programs). Most families of malware would not install themselves on machines that have already been infected with the same malware and check for infection symptoms — such as files, registry entries, and mutexes — before proceeding with installation. If the potential victim knows the specific symptoms for a given infection in advance, he or she can take measures to "vaccinate" their machine.

We've seen examples of both kill switches and vaccines in recent ransomware attacks. The initial WannaCry samples were equipped with a built-in kill-switch mechanism, while the Petya malware merely checked for its own presence before infecting the system (which is a form of vaccine).

Don't Rely on Discovering a Magic Bullet
Companies should never rely on the existence of a malware-embedded kill switch in case of an outbreak. They should instead take steps to prevent the infection in the first place. Vaccines can be effective against a particular strain of malware but are totally unreliable in the case of polymorphic viruses or frequently updated malware. Moreover, it's physically impossible to apply vaccines for all existing malware to a single machine.

To significantly mitigate the risk of an outbreak, businesses should protect their computers using a sophisticated malware-protection platform, available from a number of vendors, and keep all their systems and software fully up to date. Malware commonly uses vulnerabilities in outdated software as an initial infection vector, so businesses can prevent a great percentage of attacks by applying all updates as soon as they are released. A reliable anti-malware solution should be able to detect and remove threats that can bypass a fully updated system.

The Human Factor
Many businesses tend to treat security as an unnecessary burden until the moment they experience severe inconvenience or loss due to malware. Ignorance, lack of diligence, and human error are major vulnerabilities that greatly increase the odds of a devastating malware attack.

Mitigating risk related to human error requires a few simple steps. If implemented daily, these steps could prevent a great portion of security breaches:

  1. Regularly update the operating system and all running software.
  2. Keep regular backups of all sensitive files.
  3. Use anti-malware solutions, firewalls, content scanning, etc.
  4. Be vigilant when dealing with emails and online content (for example, don't open attachments from unknown senders or click on any link sent via Instant Messenger).
  5. Invest in comprehensive security measures and recovery plans, as well as education for employees on the basic cybersecurity do's and don'ts.

Basic best practices are the best defense against cyberattacks, even if some attacks remain unavoidable for the time being. WannaCry and Petya, which were both based on the patched EternalRocks exploit, proved that even previously disclosed vulnerabilities can cause significant damage. By getting smart about common misconceptions and sticking to the information security basics, businesses can make significant progress toward reducing risk.


Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:


Marta Janus is a Senior Principal Threat Researcher at Cylance Inc. Marta is an experienced malware researcher and reverse engineer with more than eight years of experience in the anti-malware industry. Prior to Cylance, she was a senior security researcher for Kaspersky Lab. ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/17/2017 | 10:47:38 AM
Backups are 1/2 of the puzzle
As an independent consultant, I had off-site systems dedicated to evening backups of my various accounts, a single Dell computer dedicated to account and perfoming remote night backup of server to station.  This saved one 501C3 account that got destroyed by cryppolocker in 2014.  I recovered and restored 98% of serve-workstation data in 3 hours.  The other half of my argument is that backups are great AND when you NEED THEM at 2am, they will often FAIL or be applied wrong because, well, I am not thinking square at 2am either.  TEST TEST and test them to make SURE you have (a) reliable comprehensive backups that (b) WORK when you need them too.  Otherwise, your best efforts are doomed to fail at a crucial time.  "People never plan to fail - but they often fail to plan." - George S. Patton
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/15/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.