Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This may indeed be exactly what the authors of the next ransomware will do.

Two domains, one defuses the ransomware, the other detonates it.



> Two domains, one defuses the ransomware, the other detonates it.

And one of the domains will be called redwire[randomchars].com, and the other bluewire[randomchars].com. Which one do you sinkhole, the red wire or the blue wire?


You just test both in a disposable environment, and then you know which one to sinkhole publicly.

The researcher in this case registered the domain right away because he had experience that that creates a positive result. Once that sort of thing starts creating bad results, then researchers will start testing more carefully before grabbing domains.


This would be Very Bad if your ISP is one of those that intercepts NXDOMAIN responses and instead returns an A record to some other "helpful" thing... or some DNS provider that returns a "this site has been blocked by your administrators" page...


The article says this already is done in other malware.


Why? What would be the goal? If you're in ransomware business, why would you ever want to delete data before the scheduled time? You want to get paid instead.


The goal would be to prevent security researchers from preemptively registering all domains the malware connects to.

Although it was only a thought, with what `cesarb` mentioned in mind.


So you'd slow the researcher by a few minutes of extra disassembly time if they needed to be careful - what would the malware authors gain here? A few more potential payments in that timeframe? Same time could be invested in improving the sandbox detection instead of creating fun decoys that will be identified anyway. It was still only version 1, we'll see how v2 evolves.


> Same time could be invested in improving the sandbox detection

It isn't an either-or proposition, and the psychology of the conflict is important. If you force your opponent consider every possible move to be potentially dangerous, you slow them down by more than just the cost of the game with a domain name. And that's valuable.

Googling for "OODA Loop" might be helpful in thinking about this.


Wow! Thanks for mentioning OODA (https://en.wikipedia.org/wiki/OODA_loop), never heard of that before. That's a really intriguing concept... so many cogsci, ML, netsec, and game theory connections. While the wikipedia page is rather sparse, it's already added a few things to my reading pile.


One thing I was curious about as I read this was: are there not extenuating circumstances during which the domain registrar can seize a domain? If say, this domain that was unregistered had been registered, is the fact that it's controlled already mean that there's no way to reset it to a new registrar?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: