FireEye, GoDaddy and Microsoft flick SolarWinds SUNBURST 'killswitch'

By on
FireEye, GoDaddy and Microsoft flick SolarWinds SUNBURST 'killswitch'

Actor likely to remain in infected networks, however.

Security vendor FireEye, Microsoft and domain registrar GoDaddy have enabled a "killswitch" for the SUNBURST malware deployed by suspected Russian hackers in a global supply-chain attack.

FireEye's technical analysis of SUNBURST malware instances showed that they have a domain generation algorithm (DGA) to determine which command and control server the program should contact.

The DGA creates a host name that resolves to a subdomain of 

If the malware detects that the domain name system A record resolves to an RFC 1918 internet protocol address used for local area networks, or four other blocks of routable addresses, SUNBURST will terminate itself.

One of the IP address blocks that the malware checks is which is assigned to Microsoft.

GoDaddy, FireEye and Microsoft have now configured the A record for to resolve to, which causes the malware to deactivate itself and prevent further execution.

In a statement, FireEye cautioned that the killswitch will only disable SUNBURST deployments  that are connecting to and not remove the attacker from victim networks.

FireEye said it has seen the intruder quickly establish additional persistent mechanisms to access victim networks, besides using the SUNBURST backdoor.

SUNBURST is a trojanised version of the Orion network management plug-in that was used to compromise some 18,000 customers for close to nine months by breaching a SolarWinds update server and dropping malicious software on it.

SolarWinds products are used by the United States and British governments, and the majority of US Fortune 500 companies.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?