Slashdot Mirror
UK Security Researcher Who Stopped WannaCry Outbreak Arrested in US (zdnet.com)
Zack Whittaker, reporting for ZDNet: A security researcher who in May stopped an outbreak of the WannaCry ransomware has been arrested and detained after attending the Def Con conference in Las Vegas. Marcus Hutchins, 23, a British national, was arrested at Las Vegas airport on Wednesday by US Marshals, several close friends confirmed to ZDNet. A friend told ZDNet that he was "was pulled by Marshals at the lounge" after clearing security. He was briefly detained in a federal facility in Nevada until he was moved. "We went to see him this morning and we had already been moved," said the friend. Hutchins is now understood to be in custody at an FBI field office in the state. Motherboard first broke the story on Thursday. Update: A Motherboard reporter tweets, "Here's the indictment accusing @MalwareTechBlog of running the Kronos banking malware."
Update 2: New DOJ statement: Gregory J. Haanstad, United States Attorney for the Eastern District of Wisconsin, announced that on July 11, 2017, following a two-year long investigation, a federal grand jury returned a six-count indictment against Marcus Hutchins, also known as "Malwaretech," for his role in creating and distributing the Kronos banking Trojan.
Update 2: New DOJ statement: Gregory J. Haanstad, United States Attorney for the Eastern District of Wisconsin, announced that on July 11, 2017, following a two-year long investigation, a federal grand jury returned a six-count indictment against Marcus Hutchins, also known as "Malwaretech," for his role in creating and distributing the Kronos banking Trojan.
Allegedly created Kronos. I'd like to see the actual indictment, so hopefully that will be up soon. http://money.cnn.com/2017/08/0...
He may have helped to stop it, but it begs the question.. Did he have a hand in spreading it in the first place, or is this an unrelated charge?
It doesn't beg that question any more than it begs the question of why anyone who is a high profile security researcher would be stupid enough to travel to the US.
No question was begged. It raises the question. Begging the question is something else entirely. https://en.wikipedia.org/wiki/...
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
I'd like to see the actual indictment
Aaaaand here it is.
This is dumb and wrong. The NSA didn't create the malware, nor the kill switch within it.
What the NSA did that is relevant to the issue being discussed is to know about the Windows SMBv1 vulnerability and not tell Microsoft, and created an exploit to use the vulnerability. The SMBv1 exploit is simply a tool used by the malware, and the malware itself was coded to have a kill switch, separate parts.
If the NSA had disclosed the vulnerability after finding it, we probably wouldn't have had the WCry malware outbreak, because patches would have been out a lot sooner to plug the hole.
A part of that NSA package was the kill switch that Hutchins discovered and published.
This is utterly, totally, and completely wrong. The kill-switch had nothing to do with the exploit or NSA at all. It was implemented separately by the malware developers, likely as a check if the system was a sandbox.
But he caused a TLA to lose one of it's fun toys. And for that, he will be punished.
No, he didn't. This is also totally and completely wrong. The EternalBlue exploit used by Wannacry was leaked a month before Wannacry came out by a group (presumably) entirely unrelated to Marcus, and even that didn't really effect the NSA, as MS had fixed the big a month before that.
There's plenty of bad things the NSA has done to criticize, you don't need to create outright lies about them.
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
This is dumb and wrong. The NSA didn't create the malware,
https://en.wikipedia.org/wiki/EternalBlue
There's a theory that the kill switch was built into WannaCry to prevent it from being run in a sandbox environment. It checks for a non-existent URL and refuses to run if it gets a reply, figuring that the sandbox will reply to anything. But that is pretty simple-minded. It is trivially easy to get a decent sandbox to reply (or not) correctly based on actual DNS data. What viruses do (even scrip kiddie stuff) is to look for a correct response from a command and control network. And refuse to run (and be inspected) if a server replies but incorrectly.
It's more likely that the dummy URL was created to keep EternalBlue payloads from propagating within 'friendly' environments like government and contractor intranets. Just load the URL into the DNS cache inside your firewall and your network is safe.
Have gnu, will travel.