This is a bit over the top. He is not a master hacker who "saved the Internet"; He accidentally neutered WannaCry by registering a domain he found in the binary, which as it turned out, acted as a kill switch.
he did not "accidentally neuter WannaCry". He stopped WannaCry by registering the kill-switch domain. Nothing accidental about that.
> He is not a master hacker
he is a kid. what makes his experience interesting, and his story worth listening to is that he had first-hand experience with the legal system as a hacker that went too far (because he is/was a kid). that is worth more than the arm-chair analysis of law (by wannabe skript kiddies and theoretical security experts).
He named his own blogpost of the incident "How to Accidentally Stop a Global Cyber Attacks". He thought it was trying to spread like a worm, and they followed standard procedure to register the domain and black hole the traffic.
It is 100% accidental. He registered a domain he observed being queried from his analysis system. He did not figure out what the purpose of this domain was before registering it. One of three options:
- Act as a centralised C2.
- Act as a kill-switch (this is what happened)
- Act as a dead-man-trigger, destroying the host system.
Even if the third option is not as likely as the first one, the repercussions had he been wrong would have been severe.
He didn't know it was the kill-switch domain. He expected it would enable him to kill the malware, though, and was trying to figure out how to send the kill command before it turned out that simply sitting a server behind the domain was enough to kill it.
I mean, how does one solve a problem with unknowns? You try different things until you make some progress and work from there. Turns out he didn't have to do more than registering the domain but just because the problem turned out to be simple to resolve, doesn't make solving it an accident.
The question is, what would he have done if it wasn't a kill switch, but happened to be a server that received bitcoin payments from ransomware victims?
He was still selling banking trojans the year before, so who knows?
His goal was to kill the malware. Registering the (unclaimed) domain in the binary was supposed to be step 0 to this. Such a domain would almost certainly act as a control center of some sort. You can claim it while it's still available and analyze the malware or even just the traffic reaching your domain to try and neuter it. Even if there's no killswitch, maybe sending invalid data will cause the malware to malfunction and effectively stop its spread for example.
The fact that just registering the domain killed WannaCry wasn't expected, but his intent was to kill the virus from the start, that's no accident.
Also, I think the key point to reflect on here, Marcus had the domain knowledge and intuition to know where to start hacking literally within minutes/hours of plugging back in and getting the source.
"Would almost certainly", yeah, in most cases. But, and this is something that didn't get talked about enough, what if registering the domain actually caused the malware to nuke the host system instead? Think of it as a kill-switch to deter malware researchers that only superficially reverse-engineered a sample before jumping to action. Viewed from that light, just registering the domain because you saw your sandbox talk to it looks more than reckless...
We're talking about WannaCry here. It's a ransomware that already more or less nukes the host system. It encrypts the files with strong encryption, which is the same as shredding them if you don't have the ransom money. Sure, the malware author could go further and harm the system physically (e.g. forcefully overheat the CPU or something), but that's actually surprisingly hard to do reliably ^^.
Besides, history tells us that those malwares won't really have such "nuking" functionality. Gating it on the presence of a server is ridiculous, and would be found out eventually when the virus runs in a weird environment where, for instance, every DNS queries resolve (e.g. hotel WiFi).
isn't the first thing anyone would do when coming across such a domain in a malware binary to check it is claimed (and if not then who here wouldn't register it (even just if to see what happens)?) I mean we can argue over the semantics of accidental, but imo you can't accidentally register a domain?
i totally agree. most of innovation is "i wonder if..." and then you do something and see what happens. him registering the domain was based on research, it killing wanacry was based on research and a bit of luck, just like most things
he did not "accidentally neuter WannaCry". He stopped WannaCry by registering the kill-switch domain. Nothing accidental about that.
> He is not a master hacker
he is a kid. what makes his experience interesting, and his story worth listening to is that he had first-hand experience with the legal system as a hacker that went too far (because he is/was a kid). that is worth more than the arm-chair analysis of law (by wannabe skript kiddies and theoretical security experts).