WannaCry, sandboxes and sinkholes - A sneak peak at cyber warfare

Son Tzu says: “All warfare is based on deception”, and cyber warfare is no exception. Hackers and defenders alike, are in a constant race of measures and countermeasures, used to deceive the other side. In cyber warfare, like in any war, the most effective weapons are the ones that the other side does not raise its shields against, maybe does not even notice until it's too late.

Most of the successful​ cyber attacks go unnoticed, and this is how they succeed. Someone gets a spyware into your PC, that gets whatever information​ it wants and then self destruct. You will never know that this is how your credit card info was stolen. In fewer cases, for example in the case of ransomware like WannaCry, the malware certainly want you to know that it is there, but then too, it will sneak into your computer unnoticed and reveal itself in the right moment.

One of the measures that cyber defenders use to protect computers from malware is the sandbox. A sandbox is a contained environment that makes the malware believe that it reached its target. The malware then activates itself and by this way reveals itself without causing any damage. But malware developers are no fools. They know that sandboxes are out there, so they try to find ways for their malware to detect that it is in a sandbox and not reveal its presence until it actually got to a real computer it can harm.

In the case if WannaCry, the hackers that developed the ransomware used a very nifty trick in order to check if it is on a sandbox: Because many malwares need an internet connection, in order to control infected computers, and send data out from them, the sandbox system is programmed to emulate any such connection so that the malware will think that it managed to connect while in fact, all communication remains within the contained environment. So in WannaCry, the malware tries to connect to an Internet address that doesn't really exist, and if it fails to connect, it knows that it is on a real PC and not on a sandbox.

At a certain point, someone figured out that this is what was going on, so he rgistered the domain of the internet address that WannaCry was trying to connect and created a sinkhole on that address. A sinkhole as the name suggests, is simply something that takes whatever is sent to it and sends it down the drain. Once the sinkhole was set up, WannaCry got a response for its attempts to contact the test address even if it was on a real PC. Did that stop the attack? Cyber experts say that probably not, because the hackers can easily change the test address to one of many possible combinations as it doesn't really exist, but the sinkhole trick did give some time to many users and sysadmins to protect their computers.

Son Tzu says: “Know yourself and know your enemy, and you will not have to fear the outcome of a hundred battles”. In cyber warfare, a hundred battles are fought every minute, so understanding what is going on is all too important. It's an endless war that is entirely a battle of wits. But don't get it wrong. It is a real war with real damage and real casualties, so don't press your luck. Keep your computers updated with the latest OS patches, don't open suspicious links and files and take all other safety measures, because sometimes the simplest defense is the best defense.