Live map: https://intel.malwaretech.com/WannaCrypt.html
Relevant MS security bulletin: https://technet.microsoft.com/en-us/library/security/ms17-01...
Edit: Analysis from Kaspersky Lab: https://securelist.com/blog/incidents/78351/wannacry-ransomw...
Wouldn't you want to hide a kill switch?
How is he able to add new supernodes to the cluster? I would expect a supernode to have some sort of credentials that are used for authentication. If not, isn't it possible to neutralize the botnet by overloading it with supernodes that don't send malicious commands?
So in some cases the only requirement for a node to be a supernode is that it can receive incoming connections. I take this to mean that any computer that is 1. infected with the botnet program, 2. can receive incoming connections, becomes a supernode. Under those circumstances there's no need to reverse engineer the botnet program, all you have to do is set up a vulnerable computer, allow it to be compromised and infected becoming a supernode; then monitor the traffic of incoming connections.
He later mentions that supernodes can be filtered based on "age, online time, latency, or trust." This tells me that certain botnets do have a level of trust that is defined in each peer list.
I believe your last question refers to the concept of sinkholing or blackholing. These methods have been used by the FBI to take down botnets through DNS hijacking, I think.
This would just discover supernodes though right? Or any node at some point broadcasts as a supernode?
From what I understand the process is:
1. Write a program to pretend to be a compromised peer requesting a connection to a Supernode in order to obtain a peer list of other Supernodes.
2. Recursively crawl for existing Supernodes + the list of Supernode IPs. Store all addresses found.
3. Set up one or more Supernodes and 'infiltrate' the peer list of already established Supernodes. Log incoming connections from Workers.
I'm just curious and would like someone with more experience to weigh in.
EDIT: To add on further to my question, I wonder why it does not use a terrain / city / province overlay instead of all black? It seems it would be much more useful to us network and sysadmins out there just in case we realized "Oh, hey that dot is right on top of where we work out of. I should probably fire up WireShark or something and test for infected systems."
It uses a vulnerability in a protocol that's used for network sharing, and that's usually blocked at your router
... the lab with ties to Russian intelligence, who are suspected of leaking the NSA tools.