Confessions of Marcus Hutchins, the hacker who stopped the WannaCry attack

Marcus - thanks for stopping WannaCry. Be well.

Aissen 6 years ago |

It's a long piece, and quite interesting. Thanks for sharing @Malwaretech.

Twisell 6 years ago | |

Yeah this piece is especially long, interesting and nuanced.

If only people could take time to actually read it before reacting with simplistic and pre-existing opinions that would be awesome.

thisisnico 6 years ago | |

One of the first times I've read an article from start to finish entirely without skimming through. Incredible story.

dylan604 6 years ago | |

It is very similar to the one on Silkroad and Ross Ulbricht that Wired had previously done. I can easily see either/both/combined into a movie script.

WrtCdEvrydy 6 years ago |

It's interesting to see how trusting another criminal with your address opens you up to serious blackmail... maybe I should set up a PO Box for Bitcoin business :)

korethr 6 years ago |

I cringed when it came to describing how he'd try to tell the FBI half truth. Even if they hadn't had enough evidence to get him for his involvement in the Kronos malware, they'd still throw the lying to a Fed charge at him.

killswitched 6 years ago |

Why wouldn’t the wannacry malware writers register the domain first? Should be possible to simply update the name servers or dns records should the kill switch need to be engaged?

derrikcurran 6 years ago | |

Perhaps it wasn't a kill switch but rather a way to exempt certain organizations or countries from the effects of the malware.

seesawtron 6 years ago |

This was a long and yet one of the most interesting reads from WIRED I have seen in a long time.

voska 6 years ago |

If you fellow HN'ers feel as compelled to thank Marcus as much as I did, I recommend supporting his Patreon:

https://www.patreon.com/MalwareTech/

C1sc0cat 6 years ago |

Ah that explains his tweet this morning

pfundstein 6 years ago |

This is a bit over the top. He is not a master hacker who "saved the Internet"; He accidentally neutered WannaCry by registering a domain he found in the binary, which as it turned out, acted as a kill switch.

DyslexicAtheist 6 years ago | |

> He accidentally neutered

he did not "accidentally neuter WannaCry". He stopped WannaCry by registering the kill-switch domain. Nothing accidental about that.

> He is not a master hacker

he is a kid. what makes his experience interesting, and his story worth listening to is that he had first-hand experience with the legal system as a hacker that went too far (because he is/was a kid). that is worth more than the arm-chair analysis of law (by wannabe skript kiddies and theoretical security experts).

dx87 6 years ago | | |

He named his own blogpost of the incident "How to Accidentally Stop a Global Cyber Attacks". He thought it was trying to spread like a worm, and they followed standard procedure to register the domain and black hole the traffic.

https://www.malwaretech.com/2017/05/how-to-accidentally-stop...

heipei 6 years ago | | |

It is 100% accidental. He registered a domain he observed being queried from his analysis system. He did not figure out what the purpose of this domain was before registering it. One of three options:

- Act as a centralised C2.

- Act as a kill-switch (this is what happened)

- Act as a dead-man-trigger, destroying the host system.

Even if the third option is not as likely as the first one, the repercussions had he been wrong would have been severe.

wizzwizz4 6 years ago | | |

He didn't know it was the kill-switch domain. He expected it would enable him to kill the malware, though, and was trying to figure out how to send the kill command before it turned out that simply sitting a server behind the domain was enough to kill it.

vikbytes 6 years ago | | |

I mean, how does one solve a problem with unknowns? You try different things until you make some progress and work from there. Turns out he didn't have to do more than registering the domain but just because the problem turned out to be simple to resolve, doesn't make solving it an accident.

Jestar342 6 years ago | | |

What a pointlessly flippant argument. Hutchins discovered, and engaged, the WannaCry killswitch. Irrevocable fact.

newtypems 6 years ago | | |

The question is, what would he have done if it wasn't a kill switch, but happened to be a server that received bitcoin payments from ransomware victims?

He was still selling banking trojans the year before, so who knows?

bsd44 6 years ago | | |

Nobody ever knows something until they do it. I don't understand what are you trying to say.

wizzwizz4 6 years ago | | |

The same thing as everyone who's replied so far: that he deserves at least some of the credit for achieving what he set out to do.

ryanlol 6 years ago | | |

>Nothing accidental about that.

He didn’t know it was the kill-switch domain, seems pretty accidental to me.

roblabla 6 years ago | | |

His goal was to kill the malware. Registering the (unclaimed) domain in the binary was supposed to be step 0 to this. Such a domain would almost certainly act as a control center of some sort. You can claim it while it's still available and analyze the malware or even just the traffic reaching your domain to try and neuter it. Even if there's no killswitch, maybe sending invalid data will cause the malware to malfunction and effectively stop its spread for example.

The fact that just registering the domain killed WannaCry wasn't expected, but his intent was to kill the virus from the start, that's no accident.

kortex 6 years ago | | |

Also, I think the key point to reflect on here, Marcus had the domain knowledge and intuition to know where to start hacking literally within minutes/hours of plugging back in and getting the source.

heipei 6 years ago | | |

"Would almost certainly", yeah, in most cases. But, and this is something that didn't get talked about enough, what if registering the domain actually caused the malware to nuke the host system instead? Think of it as a kill-switch to deter malware researchers that only superficially reverse-engineered a sample before jumping to action. Viewed from that light, just registering the domain because you saw your sandbox talk to it looks more than reckless...

roblabla 6 years ago | | |

We're talking about WannaCry here. It's a ransomware that already more or less nukes the host system. It encrypts the files with strong encryption, which is the same as shredding them if you don't have the ransom money. Sure, the malware author could go further and harm the system physically (e.g. forcefully overheat the CPU or something), but that's actually surprisingly hard to do reliably ^^.

Besides, history tells us that those malwares won't really have such "nuking" functionality. Gating it on the presence of a server is ridiculous, and would be found out eventually when the virus runs in a weird environment where, for instance, every DNS queries resolve (e.g. hotel WiFi).

DyslexicAtheist 6 years ago | | |

isn't the first thing anyone would do when coming across such a domain in a malware binary to check it is claimed (and if not then who here wouldn't register it (even just if to see what happens)?) I mean we can argue over the semantics of accidental, but imo you can't accidentally register a domain?

flatiron 6 years ago | | |

i totally agree. most of innovation is "i wonder if..." and then you do something and see what happens. him registering the domain was based on research, it killing wanacry was based on research and a bit of luck, just like most things

auiya 6 years ago | |

> He is not a master hacker

Those who have watched his reverse engineering malware live streams would beg to differ.

armitron 6 years ago | | |

To anyone in the biz, those live streams should reinforce the fact that Hutchins is little more than script kiddie.

He does have a lot of young, inexperienced followers however, who can't tell the difference and are willing to take him at his word.

Hutchins is a media creation. The hype around him and especially his portrayal as a hero is absolute fiction.

ausbah 6 years ago |

cybersecurity professionals are the closest things to superheroes we have

koheripbal 6 years ago | |

There are a lot more grey-hats than the industry is generally willing to admit.

C1sc0cat 6 years ago | | |

Batman's pretty grey hat as a Super Hero as is Oliver Queen

rayuela 6 years ago |

Hutchins was busted for committing bank fraud. Him doing one good thing does not absolve him of having committed another crime...he's still a criminal. Rather than protest him being arrested we should advocate for him getting a reduced sentence for having at least done some good.

jstanley 6 years ago | |

> getting a reduced sentence for having at least done some good.

It seems like this is exactly what happened:

> On 26 July, 2019, Hutchins was sentenced to time served and one year of supervised release.

JoeSmithson 6 years ago | | |

Judges comments are included in this short documentary https://youtu.be/vveLaA-z3-o (from 21:26)

koheripbal 6 years ago | | |

Seems like the system works far more frequently than we generally give it credit for.

anonyxyz 6 years ago | | |

You mean because it worked this one time?

willis936 6 years ago | |

Shouldn’t the system be set up to reward the good thing more than the bad thing when possible? If someone is in a position of power from doing bad things, how could you expect them to stop of their own volition?

marcinzm 6 years ago | | |

One problem with rewarding an action is that humans are very good at gaming rules. For example, let's say I get X for donating to charity. I can for example setup my own charity, donate to it, pay myself all its income as salary and then just collect lot's of X.

The US tax system is a perfect example of this I'd say.

koheripbal 6 years ago | | |

To be clear, that specific example doesn't work at all, because salaried income from a non-profit is still fully taxable.

vmception 6 years ago | | |

Not really any benefit from that

But the charity you setup would shelter your assets better than any prenup or other asset planning (or lack thereof) when you divorce your spouse

gvjddbnvdrbv 6 years ago | | |

I am not a lawyer but I'm guessing a judge would look pretty badly on doing this too obviously.

vmception 6 years ago | | |

One of the most useful monetary goals in life is being able to afford US federal appeal's court. It's the only part of the system where arbiters of the law actually begin to analyze the law. There is no dog and pony show for jurors there, no instructions that a prosecutor can tell the judges and sway them.

So it wouldn't matter what a single judge thought in lower court, if you were compliant.

yazan94 6 years ago | | |

That logic doesn't make sense. Everyone has the potential to do something bad. If you have a concealed carry firearm with you, should you get rewarded for not shooting someone on a particular day?

bryanrasmussen 6 years ago | | |

the analogy is more like you had a concealed firearm with you and you shot a terrorist.

although personally I think time served and probation seems about right.

tssva 6 years ago | | |

The proper analog is more like you carry a concealed firearm which you used to shoot an innocent person but then later used it to shoot a terrorist.

iso1631 6 years ago | | |

In the UK we stop terrorists with Narwhal tusks

https://www.theguardian.com/uk-news/2019/nov/30/narwhal-tusk...

What's more interesting on the "good deed - bad deed" ometer is

> Among those who pinned down the attacker was James Ford, 42, who is also thought to have tried to save the life of a woman who had been stabbed. Ford was jailed for life in 2004 for the murder of 21-year-old Amanda Champion.

rjsw 6 years ago | | |

The terrorist attacked a conference on rehabilitating offenders so there were probably a few more "bad boys" there too.

Ntrails 6 years ago | | |

One good deed is not enough to absolve, but one bad deed is enough to condemn.

ngneer 6 years ago |

Security is about control. Shame on the malware writers for having left a single point of failure.

gowld 6 years ago |

Title was intentionally misleading before mods updated it.

This is a very one-sided article meant to make Hutchins look good.

The valuable bit of the article is a a reminder of why it's important not to start being criminal/evil, because it traps you in a postive-feedvack loop of criminality as you feel a need to commit ever-greater criminal acts to cover up past acts.

The only escape from this is to create a culture where criminals know that it safer to turn themselves in and turn informant on their co-conspirators, than to try to evade the authorities.

gizmo 6 years ago | |

I carefully read the entire article and I don't think it made Hutchins look good. But it does describe, accurately in my view, the kind of rationalizations people apply to cross line after line until they see no way out.

sqldba 6 years ago | |

A statute of limitations on hacking laws would also help. There's no reason people should be fearful decades later for stuff they did as (relative if not literal) kids.