Saturday, August 5, 2017

The Killswitch story feels like bullshit

If you haven't watched the INFILTRATE keynote from Stephen Watt here then you need to do that, especially if you are a lawyer who specializes in cyber law. INFILTRATE is where you hear about issues that effect the community in the future, and you should register now! :)

But let me float my and others initial feeling when MalwareTech got arrested: The "killswitch" story was clearly bullshit. What I think happened is that MalwareTech had something to do with Wannacry, and he knew about the killswitch, and when Wannacry started getting huge and causing massive amounts of damage (say, to the NHS of his own country) he freaked out and "found the killswitch". This is why he was so upset to be outed by the media.

Being afraid to take the limelight is not a typical "White Hat" behavior, to say the least.

That said, we need to acknowledge the strategic impact law enforcement operations as a whole have on national security cyber capabilities, and how the lighter and friendlier approach of many European nations avoids the issues we are having here in the States.

Pretty much every infosec professional (yes, even the ones in the IC!) knows people who have been indicted for computer crimes now. And in most of those cases, the prosecution has (as in the video above) operated in what is essentially an unfair, merciless way, even for very minor crimes. This has massive strategic implications when you consider that the US Secret Service and FBI often compete with Mandiant for the handling of computer intrusions, and the people making the decisions about which information to share with Law Enforcement have an extremely negative opinion of it.

In other words: Law Enforcement needs to treat hacker cases as if they are the LAPD prosecuting a famous actor in LA. Or at least, that's the smartest thing to do strategically, and something the US does a lot worse than many of our allies.


  1. If it smells like bullshit it probably is.

  2. This comment has been removed by the author.

  3. As a wise man once said: PoC||GTFO.

    > The Killswitch story feels like bullshit

    The steps taken to locate the so called "killswitch" were trivial for any slightly experienced security researcher. I had a brief look at the samples myself and found the mentioned domain, and I'm nowhere near the level of Marcus. Again, this was not a big deal for any seasoned malware reverser, as was pointed out multiple times.

    > Being afraid to take the limelight is not a typical "White Hat" behavior, to say the least.

    At risk of making you even more skeptical I think this boils down to modesty and safety. I haven't met many people who went from being rather unknown to a global phenomenon while happily embracing the worldwide media as soon as being approached. In fact, those few who did were quickly labeled as "media whores". Let's be honest, if your day do day job is tracking botnets and sharing intel with .gov agencies, why would you want to have your real name / pictures / addresses online.

    While I have no proof to deny your theory, I think there's truly no arguments to support it either. If anything this contributes even more to the FUD around this matter.

  4. I have to disagree with your assumption that the "killswitch" story was bull... I was in communication with "MalwareTech" at the time this was unfolding, and even though others thought registering the domain would trigger a larger attack, I followed the code as many others did, and confirmed it caused a sink (end of operation).
    I was one of the (many) folks that said I concurred with domain registration and that he could always pull the plug on it if we were mistaken.
    I watched as his discovery occurred at the same time that many reversers where finding the same thing. He simply had the stones to go for the domain registration.
    So, I am sorry to burst your bubble of conspiracy based on your ignorance of reverse engineering, and the utter lack of having been in the fight as it unfolded, but such is the case mate.

    1. Wholly agree, if he had suspicions he wouldbe on the hook for wannacry, he would not have entered the US. Plus, the indictmnet is about kronos (although at hearing it wasnt named)

  5. I agree with Dave. What kind of idiot criminal would set a "killswitch" in his malware? If their motivation and main goal was making money with ransomware, they shouldn't stop it. They were clever enough to worming ETERNALBLUE 0day, spread it all around the world and encrypt all data. So why would he want to stop it with dummy killswitch? Altough criminals don't have any ethic or morals to stop spreading of ransomware. Am I missing something?

    Look at NotPetya, no killswitch even no valid payment address, full destructive "wiper".

  6. Sandbox evasion?

  7. logic is not too strong in this post...