The concept of malware kill switches hit the mainstream in May, when a now-controversial figure in the cybersecurity community managed to halt the spread of WannaCry by registering a domain contained in the ransomware's propagation payload. However, there is still some confusion about what warrants the term "kill switch" and what doesn't. When talking about self-disabling mechanisms in malware, it's important to first distinguish between actual kill switches and so-called "vaccines."
What Constitutes a True Kill Switch?
A kill switch is designed to stop malware from spreading, remove malware and traces of malicious activity from the system, or shut down the command and control infrastructure. These kill switches might be implemented for many reasons. Most often, they serve as a quick way out for attackers in case things go wrong. In the case of something like an eavesdropping campaign, the attackers may use a kill switch to cease their activities and cover their tracks once they've obtained the information they need. These kill switches are fully intentional and provide a level of protection that benefits the attackers, even if there is a possibility of "white hat" researchers using these mechanisms to disrupt malicious campaigns.
A kill switch might also be intentionally implemented during the testing phase of highly spreadable malware. If the attackers were to spot a premature outbreak, they could stop it before it became broadly noticed while continuing to work on developing the malware. Embedding kill switches inside the malware body is not a common practice and usually occurs in more sophisticated examples.
Vaccines are quite different from kill switches in implementation and purpose. A vaccine is basically a technique that can prevent particular malware from infecting a particular system. Such a technique might involve creating a file in a specific location with a specific name and attributes, or creating specific registry keys, values, or system mutexes (that is, programming objects used to share resources between multiple programs). Most families of malware would not install themselves on machines that have already been infected with the same malware and check for infection symptoms — such as files, registry entries, and mutexes — before proceeding with installation. If the potential victim knows the specific symptoms for a given infection in advance, he or she can take measures to "vaccinate" their machine.
We've seen examples of both kill switches and vaccines in recent ransomware attacks. The initial WannaCry samples were equipped with a built-in kill-switch mechanism, while the Petya malware merely checked for its own presence before infecting the system (which is a form of vaccine).
Don't Rely on Discovering a Magic Bullet
Companies should never rely on the existence of a malware-embedded kill switch in case of an outbreak. They should instead take steps to prevent the infection in the first place. Vaccines can be effective against a particular strain of malware but are totally unreliable in the case of polymorphic viruses or frequently updated malware. Moreover, it's physically impossible to apply vaccines for all existing malware to a single machine.
To significantly mitigate the risk of an outbreak, businesses should protect their computers using a sophisticated malware-protection platform, available from a number of vendors, and keep all their systems and software fully up to date. Malware commonly uses vulnerabilities in outdated software as an initial infection vector, so businesses can prevent a great percentage of attacks by applying all updates as soon as they are released. A reliable anti-malware solution should be able to detect and remove threats that can bypass a fully updated system.
The Human Factor
Many businesses tend to treat security as an unnecessary burden until the moment they experience severe inconvenience or loss due to malware. Ignorance, lack of diligence, and human error are major vulnerabilities that greatly increase the odds of a devastating malware attack.
Mitigating risk related to human error requires a few simple steps. If implemented daily, these steps could prevent a great portion of security breaches:
Basic best practices are the best defense against cyberattacks, even if some attacks remain unavoidable for the time being. WannaCry and Petya, which were both based on the patched EternalRocks exploit, proved that even previously disclosed vulnerabilities can cause significant damage. By getting smart about common misconceptions and sticking to the information security basics, businesses can make significant progress toward reducing risk.
Marta Janus is a Senior Principal Threat Researcher at Cylance Inc. Marta is an experienced malware researcher and reverse engineer with more than eight years of experience in the anti-malware industry. Prior to Cylance, she was a senior security researcher for Kaspersky Lab. ... View Full Bio