NB: Categorized as Networking Tutorial since this is a concept that uses networking. However, it might fall into malware or exploit dev as well. Admins, please change at your discretion.
Given the recent saga of WannaCry and the amazingly hilarious way it was foiled (for now), I think it’s apropos to take a moment to explain sinkholes. So what even is it?
A sinkhole domain is a domain registered (or seized) and used to redirect malware traffic away from its intended command and control servers
Most malware, particularly ransomware, communicates with command and control servers (also called C2 or C&C) in order to receive instructions, updates, etc. Our fearless firefighters of the internet, malware researchers, figured out early on that they could register or seize a C&C domain and take control of a botnet for their own use. After reverse-engineering the malware, they will then often disable it by sending a command to disable the instances on infected nodes.
So what happened with WannaCrypt?
This is actually kind of funny. The MalwareTech blog post explains it in detail, but in the process of researching a sample of WannaCrypt, he discovered that it was calling out to a crazy “random” domain. When he checked to see if it was registered, he found it wasn’t and promptly registered it. Standard procedure. The funny part was what happened next: everything stopped and nobody quite knew why.
They had accidentally discovered a killswitch.
See, the normal process is something like
- Register a sinkhole domain
- Survey for affected machines and reverse engineer malware
- Send disabling command to bots
As the blog post stated, steps 1-3 were actually rolled into just 1 this time. To see why the authors might have coded this, I encourage you to read the article for yourself. It’s a good one.
Anyways, that’s it. A sinkhole is just a way to direct machines with malware into something controlled by someone other than the person supposed to be in charge