Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Marta Janus
Marta Janus
Connect Directly
E-Mail vvv

Kill Switches, Vaccines & Everything in Between

The language can be a bit fuzzy at times, but there are real differences between the various ways of disabling malware.

The concept of malware kill switches hit the mainstream in May, when a now-controversial figure in the cybersecurity community managed to halt the spread of WannaCry by registering a domain contained in the ransomware's propagation payload. However, there is still some confusion about what warrants the term "kill switch" and what doesn't. When talking about self-disabling mechanisms in malware, it's important to first distinguish between actual kill switches and so-called "vaccines."

What Constitutes a True Kill Switch?
A kill switch is designed to stop malware from spreading, remove malware and traces of malicious activity from the system, or shut down the command and control infrastructure. These kill switches might be implemented for many reasons. Most often, they serve as a quick way out for attackers in case things go wrong. In the case of something like an eavesdropping campaign, the attackers may use a kill switch to cease their activities and cover their tracks once they've obtained the information they need. These kill switches are fully intentional and provide a level of protection that benefits the attackers, even if there is a possibility of "white hat" researchers using these mechanisms to disrupt malicious campaigns.

A kill switch might also be intentionally implemented during the testing phase of highly spreadable malware. If the attackers were to spot a premature outbreak, they could stop it before it became broadly noticed while continuing to work on developing the malware. Embedding kill switches inside the malware body is not a common practice and usually occurs in more sophisticated examples.

Vaccines are quite different from kill switches in implementation and purpose. A vaccine is basically a technique that can prevent particular malware from infecting a particular system. Such a technique might involve creating a file in a specific location with a specific name and attributes, or creating specific registry keys, values, or system mutexes (that is, programming objects used to share resources between multiple programs). Most families of malware would not install themselves on machines that have already been infected with the same malware and check for infection symptoms — such as files, registry entries, and mutexes — before proceeding with installation. If the potential victim knows the specific symptoms for a given infection in advance, he or she can take measures to "vaccinate" their machine.

We've seen examples of both kill switches and vaccines in recent ransomware attacks. The initial WannaCry samples were equipped with a built-in kill-switch mechanism, while the Petya malware merely checked for its own presence before infecting the system (which is a form of vaccine).

Don't Rely on Discovering a Magic Bullet
Companies should never rely on the existence of a malware-embedded kill switch in case of an outbreak. They should instead take steps to prevent the infection in the first place. Vaccines can be effective against a particular strain of malware but are totally unreliable in the case of polymorphic viruses or frequently updated malware. Moreover, it's physically impossible to apply vaccines for all existing malware to a single machine.

To significantly mitigate the risk of an outbreak, businesses should protect their computers using a sophisticated malware-protection platform, available from a number of vendors, and keep all their systems and software fully up to date. Malware commonly uses vulnerabilities in outdated software as an initial infection vector, so businesses can prevent a great percentage of attacks by applying all updates as soon as they are released. A reliable anti-malware solution should be able to detect and remove threats that can bypass a fully updated system.

The Human Factor
Many businesses tend to treat security as an unnecessary burden until the moment they experience severe inconvenience or loss due to malware. Ignorance, lack of diligence, and human error are major vulnerabilities that greatly increase the odds of a devastating malware attack.

Mitigating risk related to human error requires a few simple steps. If implemented daily, these steps could prevent a great portion of security breaches:

  1. Regularly update the operating system and all running software.
  2. Keep regular backups of all sensitive files.
  3. Use anti-malware solutions, firewalls, content scanning, etc.
  4. Be vigilant when dealing with emails and online content (for example, don't open attachments from unknown senders or click on any link sent via Instant Messenger).
  5. Invest in comprehensive security measures and recovery plans, as well as education for employees on the basic cybersecurity do's and don'ts.

Basic best practices are the best defense against cyberattacks, even if some attacks remain unavoidable for the time being. WannaCry and Petya, which were both based on the patched EternalRocks exploit, proved that even previously disclosed vulnerabilities can cause significant damage. By getting smart about common misconceptions and sticking to the information security basics, businesses can make significant progress toward reducing risk.


Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:


Marta Janus is a Senior Principal Threat Researcher at Cylance Inc. Marta is an experienced malware researcher and reverse engineer with more than eight years of experience in the anti-malware industry. Prior to Cylance, she was a senior security researcher for Kaspersky Lab. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
8/17/2017 | 10:47:38 AM
Backups are 1/2 of the puzzle
As an independent consultant, I had off-site systems dedicated to evening backups of my various accounts, a single Dell computer dedicated to account and perfoming remote night backup of server to station.  This saved one 501C3 account that got destroyed by cryppolocker in 2014.  I recovered and restored 98% of serve-workstation data in 3 hours.  The other half of my argument is that backups are great AND when you NEED THEM at 2am, they will often FAIL or be applied wrong because, well, I am not thinking square at 2am either.  TEST TEST and test them to make SURE you have (a) reliable comprehensive backups that (b) WORK when you need them too.  Otherwise, your best efforts are doomed to fail at a crucial time.  "People never plan to fail - but they often fail to plan." - George S. Patton
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.