FireEye, GoDaddy and Microsoft flick SolarWinds SUNBURST 'killswitch'

Security vendor FireEye, Microsoft and domain registrar GoDaddy have enabled a "killswitch" for the SUNBURST malware deployed by suspected Russian hackers in a global supply-chain attack.

FireEye's technical analysis of SUNBURST malware instances showed that they have a domain generation algorithm (DGA) to determine which command and control server the program should contact.

The DGA creates a host name that resolves to a subdomain of avsvmcloud.com. 

If the malware detects that the domain name system A record resolves to an RFC 1918 internet protocol address used for local area networks, or four other blocks of routable addresses, SUNBURST will terminate itself.

One of the IP address blocks that the malware checks is 20.140.0.0/15 which is assigned to Microsoft.

GoDaddy, FireEye and Microsoft have now configured the A record for avsvmcloud.com to resolve to 20.140.0.1, which causes the malware to deactivate itself and prevent further execution.

In a statement, FireEye cautioned that the killswitch will only disable SUNBURST deployments  that are connecting to avsvmcloud.com and not remove the attacker from victim networks.

FireEye said it has seen the intruder quickly establish additional persistent mechanisms to access victim networks, besides using the SUNBURST backdoor.

SUNBURST is a trojanised version of the Orion network management plug-in that was used to compromise some 18,000 customers for close to nine months by breaching a SolarWinds update server and dropping malicious software on it.

SolarWinds products are used by the United States and British governments, and the majority of US Fortune 500 companies.