Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Marta Janus
Marta Janus
Connect Directly
E-Mail vvv

Kill Switches, Vaccines & Everything in Between

The language can be a bit fuzzy at times, but there are real differences between the various ways of disabling malware.

The concept of malware kill switches hit the mainstream in May, when a now-controversial figure in the cybersecurity community managed to halt the spread of WannaCry by registering a domain contained in the ransomware's propagation payload. However, there is still some confusion about what warrants the term "kill switch" and what doesn't. When talking about self-disabling mechanisms in malware, it's important to first distinguish between actual kill switches and so-called "vaccines."

What Constitutes a True Kill Switch?
A kill switch is designed to stop malware from spreading, remove malware and traces of malicious activity from the system, or shut down the command and control infrastructure. These kill switches might be implemented for many reasons. Most often, they serve as a quick way out for attackers in case things go wrong. In the case of something like an eavesdropping campaign, the attackers may use a kill switch to cease their activities and cover their tracks once they've obtained the information they need. These kill switches are fully intentional and provide a level of protection that benefits the attackers, even if there is a possibility of "white hat" researchers using these mechanisms to disrupt malicious campaigns.

A kill switch might also be intentionally implemented during the testing phase of highly spreadable malware. If the attackers were to spot a premature outbreak, they could stop it before it became broadly noticed while continuing to work on developing the malware. Embedding kill switches inside the malware body is not a common practice and usually occurs in more sophisticated examples.

Vaccines are quite different from kill switches in implementation and purpose. A vaccine is basically a technique that can prevent particular malware from infecting a particular system. Such a technique might involve creating a file in a specific location with a specific name and attributes, or creating specific registry keys, values, or system mutexes (that is, programming objects used to share resources between multiple programs). Most families of malware would not install themselves on machines that have already been infected with the same malware and check for infection symptoms — such as files, registry entries, and mutexes — before proceeding with installation. If the potential victim knows the specific symptoms for a given infection in advance, he or she can take measures to "vaccinate" their machine.

We've seen examples of both kill switches and vaccines in recent ransomware attacks. The initial WannaCry samples were equipped with a built-in kill-switch mechanism, while the Petya malware merely checked for its own presence before infecting the system (which is a form of vaccine).

Don't Rely on Discovering a Magic Bullet
Companies should never rely on the existence of a malware-embedded kill switch in case of an outbreak. They should instead take steps to prevent the infection in the first place. Vaccines can be effective against a particular strain of malware but are totally unreliable in the case of polymorphic viruses or frequently updated malware. Moreover, it's physically impossible to apply vaccines for all existing malware to a single machine.

To significantly mitigate the risk of an outbreak, businesses should protect their computers using a sophisticated malware-protection platform, available from a number of vendors, and keep all their systems and software fully up to date. Malware commonly uses vulnerabilities in outdated software as an initial infection vector, so businesses can prevent a great percentage of attacks by applying all updates as soon as they are released. A reliable anti-malware solution should be able to detect and remove threats that can bypass a fully updated system.

The Human Factor
Many businesses tend to treat security as an unnecessary burden until the moment they experience severe inconvenience or loss due to malware. Ignorance, lack of diligence, and human error are major vulnerabilities that greatly increase the odds of a devastating malware attack.

Mitigating risk related to human error requires a few simple steps. If implemented daily, these steps could prevent a great portion of security breaches:

  1. Regularly update the operating system and all running software.
  2. Keep regular backups of all sensitive files.
  3. Use anti-malware solutions, firewalls, content scanning, etc.
  4. Be vigilant when dealing with emails and online content (for example, don't open attachments from unknown senders or click on any link sent via Instant Messenger).
  5. Invest in comprehensive security measures and recovery plans, as well as education for employees on the basic cybersecurity do's and don'ts.

Basic best practices are the best defense against cyberattacks, even if some attacks remain unavoidable for the time being. WannaCry and Petya, which were both based on the patched EternalRocks exploit, proved that even previously disclosed vulnerabilities can cause significant damage. By getting smart about common misconceptions and sticking to the information security basics, businesses can make significant progress toward reducing risk.


Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:


Marta Janus is a Senior Principal Threat Researcher at Cylance Inc. Marta is an experienced malware researcher and reverse engineer with more than eight years of experience in the anti-malware industry. Prior to Cylance, she was a senior security researcher for Kaspersky Lab. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
8/17/2017 | 10:47:38 AM
Backups are 1/2 of the puzzle
As an independent consultant, I had off-site systems dedicated to evening backups of my various accounts, a single Dell computer dedicated to account and perfoming remote night backup of server to station.  This saved one 501C3 account that got destroyed by cryppolocker in 2014.  I recovered and restored 98% of serve-workstation data in 3 hours.  The other half of my argument is that backups are great AND when you NEED THEM at 2am, they will often FAIL or be applied wrong because, well, I am not thinking square at 2am either.  TEST TEST and test them to make SURE you have (a) reliable comprehensive backups that (b) WORK when you need them too.  Otherwise, your best efforts are doomed to fail at a crucial time.  "People never plan to fail - but they often fail to plan." - George S. Patton
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to bypass authentication mechanisms via unspecified vectors.
PUBLISHED: 2020-07-07
MobileIron Core and Connector before, 10.4.x before, 10.5.x before, 10.5.2.x before, and 10.6.x before allow remote attackers to read files on the system via unspecified vectors.
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...