Microsoft, FireEye, and GoDaddy have taken advantage of a killswitch in the Sunburst malware distributed as part of the Solarwinds hack, which has affected more than 18,000 companies and government institutions.

The infected DLL was distributed after the Solarwinds was hacked and forced to release an auto-update with the payload.

That payload, fortunately, has a killswitch, which is activated when the malware connects to an IP range around 20.140.0.0/15. This IP range is normally controlled by Microsoft, and the malware may have been trying to avoid detection by not generating traffic on Microsoft’s network.

“SUNBURST is the malware that was distributed through SolarWinds software. As part of FireEye’s analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate,” said FireEye.

While the fix will deactivate the DLL, it will not reverse the actions already taken by the infected software, which may include installing other persistent backdoors to the victim’s network.

“However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of SUNBURST,” FireEye warned.

Read all the detail at BleepingComputer.

Comments