Quote
Marcus Hutchins
Quote
Apr 8, 2025
QuoteA deep dive into how hackers use fast flux to avoid detection by security products, and why the NSA is now raising the alarm.
Quote00:00 Introduction
00:29 How The Domain Name System Works
03:12 Bulletproof Providers
04:38 Hiding Servers Via Reverse Proxy
06:47 Botnet Based Reverse Proxies
07:35 What Is Single Fast Flux?
10:38 What Is Double Fast Flux?
12:59 DNS Reputation vs Fast Flux
15:16 Why Is The NSA Warning About It?
this is who this dude is btw
QuoteResearcher Marcus Hutchins[54][55] discovered the kill switch domain hardcoded in the malware.[56][57][58] Registering a domain name for a DNS sinkhole stopped the attack spreading as a worm, because the ransomware only encrypted the computer's files if it was unable to connect to that domain, which all computers infected with WannaCry before the website's registration had been unable to do. While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in North America and Asia, which had not been attacked to the same extent as elsewhere.[59][60][61][62][63] On 14 May, a first variant of WannaCry appeared with a new and second[64] kill-switch registered by Matt Suiche on the same day. This was followed by a second variant with the third and last kill-switch on 15 May, which was registered by Check Point threat intelligence analysts.[65][66] A few days later, a new version of WannaCry was detected that lacked the kill switch altogether.[67][68][69][70]