wannacrypt killswitch morph proof

I was tracking Wannacrypt over the weekend and had an idea which I felt can be rolled out quickly. Listing it out as succinctly as possible:
  1. The killswitch is what it essentially hinges on. An unregistered domain in the code
  2. the encryption and further execution stops if the domain specified in code is resolved and a http connection established.
  3. the killswitch domainname in the wannacry code has changed which means sinkholing just one or two domain names will not work
  4. so what if we could resolve all unregistered domains to a honeypot.
  5. DNS by nature cannot be gamed to do this as it will cause havoc.
  6. Maxmind GeoIP has a domainame database 
  7. write a small dns server drop in replacement which uses a local copy of this database
  8. the drop in dns server sits infront of actual organization dns server
  9. checks domain name in the maxmind db.
  10. if found in db lets request pass on to actual dns or replies
  11. if not found our drop in dns server replies with a honeypot IP
  12. honeypot IP is running a http server and allows the http connect
  13. http connect happens and killswitch is activated. Wannacrypt/wannacry stops execution
This can be dynamically configured by giving dns IP to our drop in application server. Later as dust settles further course of action can be decided.
Potential to provide clients with a solution that so far is not available. Effect on normal working of applications is nil. It can be explained to clients in an advisory.

always backup

a client pinged… he has lost his database for a site which he had spent close to 6 months on… he interpreted a mail from a script provider differently and ended up deleting the db…. the backup is from when he had first set it all up. I had setup his server and used to help him off and on with any tuneups or security issues.

What can I say backups are never a waste… ever…. if nothing atleast you’ll get some of it all back…. he seems to have lost 500 odd client details…. I’ve referred him to the host to try and see if they have something tucked away somewhere but then thats a bleak one…

We offer backup planning and automation. When people are starting off they feel it’d be a waste of time but when something like this happens thats when you realise how important a simple automated backup system is…. and it doesnt cost the earth either…. ask for the backup service

Pray for Al I hope it works out for him…