IamA the "accidental hero" who helped stop the WannaCry attack AMA!

First of all - you have the thanks of many! I'm sure it's been a whirlwind of publicity and lack of privacy since you assisted with the WCRY takedown. Despite the hassles, what is the best thing that you've taken away from this experience?

I've always wanted to do educational videos and possibly conference talks, but until i got dragged out into the spotlight I wasn't confident enough to make the leap from being anonymous. Now that my identity has become public, I feel more confident to give it a go as it's a much smaller jump to make.

Did you receive some job offerings from governments?

No. They probably took one look at all the shitposting and memes in my twitter feed and were like "naaaah".

What's your PC setup specs?

Also, what VM software provide the best isolation for malware testing?

CPU: i7 6700k

Ram: 2x 16GB DDR4 3200 Mhz (G.SKILL Ripjaws)

Disk: Samsung 960 PRO

MB: Asus Maximus VIII Hero

GPU: Nvidia GTX Titan X (Pascal)

Monitor: 3x Dell u2715h

Case: Cooler Master Cosmos 2

Not sure about best isolation but I use VMWare Workstation for local VMs and ESXi for remote (VMware fanboy here).

What are some good resources or ways to learn about cyber security?

For cyber security in general I'd honestly say twitter. Find out who the major players are in the part of the security industry you're interested in and follow em. You will learn so much just by reading all the writeups others tweet (you can use google, but twitter you will always know when and where something new is happening).

Could you suggest some good Twitter accounts to follow?

look through the list of people i follow on twitter and pick out the ones you think are best.

HELLO SIR, GOOD WORK WITH THE KILL SWITCH. MY QUESTION IS: 2sec4u should get a pay rise, can you confirm if you agree with this?

Yes, we will up your shitposting allowance to 100 shitposts per day.

I DO AGREE WITH YOU

TWITTER DOT COM USER @2SEC4U DESERVES A PAY RISE PROVIDED HE STOPS USING THOSE NORMIE CRYING EMOJI

I can confirm I agree with this. We need to put him on basic bitch sensitivity training.

Any advice for someone looking to avoid being doxxed? Asking for a friend.

Simply put: if you want to be truly never found you can't share any personal stuff about you online, you need total separation of your real life and online identity (including avoiding any use of your real name and address for online services, including billing). Honestly it's not fun and not worth it unless you've actually got something to hide.

Initially I lost out on many job offers because I wasn't comfortable publicly linking my online identity to my real one.

Are you going to DEFCON and can I buy you a drink?

Yes, but please don't buy me a drink (the more drunk I get the less able I am to say no to a free drink and I usually end up passed out in a hedge somewhere).

Behold the most common question. How did you get into ethical hacking and security and what books did you use?

Technically I'm not an ethical hacker but a malware researcher (I consider ethical hacking to be more the pentester route). I got into it through programming and a fascination with how malware works.

Books I'd recommend to get started: Practical Reverse Engineering. You should also look into python books (python is great for automating tasks) and Assembly (you'll need x86_64 for reversing on windows/linux and a form of ARM or MIPS for "embedded" devices).

Edit: as others have pointed out, practical reverse engineering won't help if you're a general beginner not a beginner reverse engineer. If you're not coming from a programming background then knowing ASM is a must and C is always helpful. You should be able to engineer software before trying to reverse engineer it

if you were to be removed by a foreign power, what would be your favourite and why is it best Korea?

Because glorious leader can speak in 1567 different languages and doesn't need to research because he just knows things from birth.

Firstly, massive thanks MT ... were you at work when you found the bug in the code or was it something you thught you'd have a dig into?

I was actually on holiday. I made it a grand total of 3 days into my week off before i got sucked back in :)

Aren't you afraid that the WannaCry hackers will want retribution?

Nah, you quickly learn not to worry about things you can't control or you worry all the time.

What changes would you like to UK press regulation? Is there anything that could outlaw the privacy intrusions that you have suffered while still enabling a free press and genuine investigative journalism?

Ideally make people's houses/friends/family off limits until they've been charged (and found guilty of) a serious crime.

Have you spoken to your buddy that sold you out to gutter press?

I'm not sure it was a friend anymore, I think someone who knew me pointed them in the right direction and they did the rest themselves.

What languages can you code in?

What is your opinion on certifications in IT and do you think it's necessary? Do you have any?

Coding languages I'm fluent in: C, C++, Assembly (both x86 and x64), PHP, JavaScript.

Also familiar with: Python, Lua, Objective-C, ARM32, Visual Basic (but wouldn't say I'm fluent as I've not been programming them for long).

Certifications: None (but I imagine they'd help).

Also familiar with: Python, Lua, Objective-C, ARM32, Visual Basic (but wouldn't say I'm fluent as I've not been programming them for long).

But can you create a GUI interface using Visual Basic to track the killers ip address?

No, I can only create gooey interface for that.

Hey, I'm @CryptoCypher on Twitter.

I am currently working on a book that discusses identity security along with operational security. The purpose of this book is to explain the importance of pseudonyms and how to operate a persona "anonymously" online. In this, I will be covering various topics.

With that said, my question is this: would you be willing to get in contact with me to collaborate on my work?

I feel that your experience with UK tabloids as a security researcher would make an excellent example of why people should take the time to lock down their identity security and re-evaluate their OPSEC. Your story could help others realize the importance of locking down their persona.

I don't typically use Reddit, so if you're interested, my Twitter DMs are open.

Cheers.

Sure, DM me on twitter anytime.

What has been the oddest corporate offering you've been given. I spotted the free t-shirts and pizzas, anything else ?

I think free pizzas was probably the weirdest, though I did get offered my own radio show which was interesting.

If you could go back in time, would you register the domain again?

Yes. I think in hindsight knowing the damage caused by this malware would make me more likely to do it, even knowing the personal consequences. It's pretty heartbreaking when all the emails in your inbox not from journalists are people pleading with you to find a way to recover the lost photos of their kids or dead relatives.

What have you learned from malware about programming that general programmers would do well to learn from?

Generally how not to code. Most malware developers seem to have learned programming from writing malware, so they fall for all the gotchas and make some absolutely horrible mistakes.

How do we know you're not one of the people who made the ransomware?

I was going to give you a silly answer but then I felt I should answer this seriously as I've actually seen a lot of conspiracies.

I do not want fame nor money, so I'm not sure why it'd be worth the risk of spending the rest of my life in jail to get 2 things I don't want. Not to mention every intelligence agency in the world is looking at this right now, there's no way they haven't already investigated me to cover all their bases. Not to mention it took the media 3 days to find my real name and address, how long do you think it would take the world's most powerful intelligence agencies to find me if I was the person responsible?

could you hack my reddit account if you wanted?

Hahahaha

Why the cat? Why Sunglasses? Heard the U.K. Is rainy and dark - where is your ideal travel spot & why no direct flights -?

It's from a meme I found quite funny: http://content.iwastesomuchtime.com/482012014934iwsmt.jpeg

Travel spots: I've only been to Vegas and Lyon, so definitely Vegas.

No direct flight: because I live in the middle of nowhere and only have non major airports.

Windows XP has been blamed for leaving NHS computers vulnerable to WannaCry. Is the simple answer correct: that if they were running more modern OSes (eg Win7 or Win10) then they would have been unaffected?

According to multiple analysts I've spoken the malware actually fails on XP (haven't had time to check myself yet), so that would suggest unpatched newer systems were to blame.

3rd-party Windows anti-virus software causes more harm than good, claims ex-Mozilla engineer Robert O'Callahan — do you agree? If not, what would you recommend for non-technical Windows users?

Some AVs cause problems, most do things they really shouldn't (code injection into browsers), but the free version of Windows Defender (not the enterprise one, which is crazy good) is pretty much the equivalent of trying to bail out a sinking ship with a colander.

/u/MalwareTech - Really hoping you can answer this one. Also, for technical users what would you recommend?

Personally I'd recommend one of the better rated 3rd party AVs, unless you're actually worried about governments / criminal APT groups writing 0days to exploit your AV.

What are your career goals long term? Has all the recent publicity changed them?

Nah, will continue working for my current company and aiming towards launching our new platforms later this year.

Has your new-found fame helped you get laid more?

I literally didn't leave the house the entire time i was famous

Future plans? If knighted, will you be Sir $real_name or Sir MalwareTech, Lord of Pizza - I feel like asking a 22 year future plans needs a bit of humor -

Future plans are just to continue work and travel more. If I got a knighthood I'd definitely prefix all my online names with Sir just for the novelty, but keep my real name as is.

How did you get started in this world? What resources do you recommend if you want to learn more about the technical aspects of your work?

I got started through programming and an interest in the inner workings of malware. To get started in reverse engineering I'd recommend learning assembly and reading some books / blog posts from known reverse engineers (most of what i learned comes from just reading random blog posts and some trial + error).

After sinkholing a domain, what's the next steps? Do you run any specific script on the server? By the way, how many domains do you have registered?

Everything is automated so i just enter the domain + malware family name into the commandline and the system registers the domain, points it to the sinkhole, then sets up a tracker (all of this is using a bunch of python scripts I wrote). As for domains I really don't know, but it's over 2,000.

How many sinkhole domains did you have to obtain? and Favorite cat?

It's hard to count because we use about 8 different registrars. All I know is the total of domain we've registered in the past 2 year exceeds 2,000.

As for cats, I love the Russian Blue's with the short legs and big chubby faces.

Hello, just a quick question. We now see the figures of the attack, and it's obviously been a huge campaign but maybe not as big as we thought first. Do you think the media coverage has made it look bigger than it actually is and do you think media coverage on those topics actually does more harm than good? I'll be honest here, i'm an infosec journalist, but had the chance to be off work those last two weeks. But i'm genuinely curious about this. But again, thanks for your work, you're doing great stuff.

I honestly don't know. Our sinkhole only sees the infections we stopped, so I don't think anyone really knows the full scale of how many systems were infected prior to the sinkholing.

I think the media coverage was neutral. On one hand some got the word out that people need to do something, but on the other some made it sound like I'd come up with a miracle cure for ransomware.

What operating system do you prefer to work in? (If it's Linux, which distribution?)

Windows 10 because I'm a heathen

Will the recent explosion of followers change your tweeting habits at all? Will you be posting the same amount of memes?

No. I imagine I'm going to lose a lot of followers when I have time to return to normal twitter usage.

About to start a masters in cyber security, what is the best and worst thing about working Infosec?

Best is definitely the many many selfless people you meet who will insist on always being there to help you and never accept anything in return. Worst is the scriptkiddie groups you will see who cause the same kind of pain serious criminals cause, but do it for "lulz" instead of money. Really makes you lose faith in humanity.

How did you get started - why do you do it? Who are your heroes? Whom do you dislike but have learned from? What investment advice are you getting? What shapes and informs your worldview, and why?

Gotta run looking forward to learning more - thanks for taking the time -

How i got started: https://www.reddit.com/r/IAmA/comments/6cmmdf/iama_the_accidental_hero_who_helped_stop_the/dhvtbpu/

Almost all of what I do is simply because I enjoy it and for no other reason. I'm not in this for fame or money, just passion.

I generally don't like the term heroes as it seems to cartoony, but the researchers at ESET and PrevX who published the TDL4 and Rovnix analysis articles are who inspired my interest in reverse engineering and are largely responsible for where i am now.

I don't really dislike anyone if I learn from them, that's an automatic like from me (unless they're truly an asshole, which I don't think I've met anyone who is).

Not getting any investment advice yet (hopefully soon).

My world view is mostly shaped by my own personal experiences. Although I remain open to other people's experiences, ultimately I feel I can't fully understand something until I've experienced it myself.

This may have been asked, and sorry if it was, but what is to stop the makers of this from simply releasing a different one that doesn't check a domain like the first iteration did?

Nothing stops them, that's why I went to great lengths to warn everyone to patch ASAP.

I gather you've been learning for 11 years now so for us starting out in infosec reaching that point and level of knowledge can seem hugely intimidating. My question is, for those 11 years how much time were you putting into learning? Was it every night after school? Just at the weekends?

And secondly, you seem to have load of friends in infosec, were you all learning together or was this something you did by yourself for the majority of those years?

For most part odd weekends and when I could get away at school, I didn't start full time studying until i left college (4 years ago).

Whats your favorite pizza and why is it pepperoni with garlic sauce?

Chicken Supreme with sweetcorn (Though I've recently learned that sweetcorn on pizza offends people more than pineapple).

Now seriously, when things calm down, lets get that Patreon of yours setup with RE and sinkholing tuts :D

No money, yes tutorials. :)

Did your justeat reward come with limitations, or can you get as much free pizza delivered every day for a year as you want?

They didn't have a way to implement it so they gave me £500 credit, so it's not limited to a year or just to pizza which is nice.

Hello well-done for the great job a couple questions. Whats a typical "working" day like for you ? and have any of the threats you were worried about since quelling wannacry materialised yet.?

Thanks

My work day isn't really typical because I work from home. I tend to alternate between working and gaming randomly throughout the day. When I'm working I'm usually reversing malware or programming the backend for our sinkhole network.

Threats: nothing particularly worrying just your average banking malware (Emotet is what I was looking at beforehand).

How do you starting learning the malware enough to write simulation bots to interact with it?

If I were to want to follow say, 5 steps I need to know about how it works and communicates, what are those 5 steps?

I'd like to learn more about this process but there is not much available publicly.

If you know of any resources, could you please share them.

Thanks and keep up the good work.

For the most part malware just uses the same ways to communicate that normal software uses (HTTP wrappers, FTP wrappers, raw sockets), once you're familiar with these and possibly the windows crypto API, you can start looking into how it encrypts/structures the data sent to the C2.

New CS grad here. Any advice?

Also, what do you think about all the talk of Russian hackers and how the US is standing against it?

Look into getting some certs or public research up, will really help boost your profile.

I think the US is doing the best they can against a form of warfare they've never really been on the receiving end of. This type/level of PsyOps is unprecedented IMO.

Could you explain to us laymen how you actually went about stopping WannaCry? I have very basic computer knowledge, and am just curious how the process even works.

Im sorry if this is a really stupid quedtion, but Is it a matter of infecting a machine with the malware and then running 'triple-class-A-wizard-hacker'-diagnostic-utility-type-shit that gives you a sense of what the malware is doing? Is there like, an actual script the malware runs that you can look at and figure out how it works? I've always had trouble wrapping my head around how this stuff works as I have only the most basic knowledge of programming and computer systems. It surely can't be as simple as opening up 'virus.exe' and figuring out how it does what it does, right?

Is there some sort of video or documentary that kind of breaks down the process of fixing things like this?

Thanks man.

Check out my explanation at malwaretech.com

What VPNs would you suggest?

The best VPN is the one people don't suggest. The more suggested a VPN is the more likely someone who's worth targeting is using it, which makes it a greater target for both good guys and bad.

What do you think about Miria targeting the sinkhole domain? Just skiddies having a giggle, or harbinger of malware collaboration?

Skids, always skids. If it's Mirai it's skids; I only ever saw one sophisticated hacker using Mirai and even then he had heavily customised the code.

So was it an accident? From what I read you used your knowledge of malware to inspect the code then used what you learned to stop it.
So I was somewhat confused how it was reported as an accident.
Did you trip and fall onto several years of anti-malware experience?

I guess it depends how you look at it. For me it seems accidental as I didn't know the domain would stop the malware at the time of registering it, so that part was what I consider an accident.

At what age did you become interested in cyber security and/or tech? Did you teach yourself a lot of the stuff whilst still at school?

Around 11 and yeah I taught myself while I was in school (mostly against my IT teacher's wishes).

Thoughts behind privacy vs privacy against hackers vs privacy from overly aggressive journalists? French "right to be forgotten?" Privacy in a digital age vs big business?

Journalists were definitely far more determined to find me than any hacker ever has been ^_. A friend at a big paper said they had an entire team dedicated just to finding me for 3 days solid, it's crazy.

Do you remember what the first script/program you wrote was? If so, what was it?

It was a Visual Basic Excel macro to disable various group policy restrictions set on the school computers. regedit / cmd was disabled but most of the restrictions were stored in HKCU keys which are editable by the current user if you did it via code, but because running of 3rd party exes was also disabled, I found you could just run VB6 code using the Microsoft Office macro editor.

If you could go back to before claiming 'that domain name' would you change what you did by telling everyone?

I'd probably do it quietly and buy myself an extra week before the Media find me.

How would you suggest someone who has very very little (really basic HTML and not much past a marquee tag) get better at coding?

Sorry if i'm a tad late to the AMA

Just dive right in. Find something you'd like to code, break it down into smaller parts and research how to do those parts.

Scones: Cream then jam or jam then cream? TY

Cream first because cream is easy to spread onto scones and then put a dollop of jam on top, if you do it the other way around you just get jam everywhere.

Why did you want to do cyber security to begin with? What caught your interest?

Additionally, in my original line of work as a pet nurse, we needed to continue going to school to keep our licensure active and good to practice with. Considering you currently do not have a degree, would I be correct in assuming that you don't need to have official "classes" to keep up to date on how to continue doing your job effectively? If that is true, how do you keep your knowledge fresh and up to par?

Thank you so much for taking the time to read this, and possibly answering!

I think what caught my interested was the first rootkit i ever saw. The idea that malware can manipulate the OS to remain well hidden was something I really wanted to look into.

That's correct, I keep up to date via twitter and frequent research.

Do you think using IDA is required for malware researching? A lot of books seem to be based around it. Can you recommend any alternatives?

No it's not required, but I'd definitely never give it up for anything.

Would you prefer future malware be as easily stoppable as this one (not counting patching/admin practices etc) or ones that require more of a puzzle hunt to disassemble?

I prefer the challenge, but if it means stopping people being hurt then easily stoppable.

Are you going to change your carreer plans because of what happened?

Not at all :)

Your twitter description implies you have a(n opinionated) dog - is this true? If so, please provide photo evidence!

Also thanks for your work :D

No I actually don't have a dog, just a cat, but i felt that was too stereotypical.

What's your favourite pizza topping?

Nah, kidding. How much data throughput did you see once you had the sinkhole endpoint set up ?

If I'd set up a sinkhole for WannaCry specifically (which in hindsight would have caused me so much less headache) I'd be able to tell you. Unfortunately we used our sinkhole cluster we use for all sinkholing operations so it was a drop in the ocean of the couple hundred GB of traffic we see daily.

Forgot the most important one, how do you stay sharp at what you do what are your sources for information and becoming more knowledgeable personally that you use every day once a week? How do you stay on top of your ITSec game? What other sources of media do you like to keep yourself up to date?

I always keep in touch with other researchers and make sure to follow all the great sources on twitter; people make fun of Twitter, but I always hear about everything there about an hour before anywhere else.

Media: I tend to read Reuters for serious stuff and dailymail because the comment section is 900% of your recommended daily allowance for both humour and salt.

What are your favorite and/or must-have IDA plugins?

IDA Python. With that you can make any plugin you can dream of :)

Hi! Just a random thought here - do you think the publicity of the DNS registration and sinkholing of data forced the malware creators to move faster with updated code than usual? Or is it business as usual when they figure out bugs in their payload?

In this case they never updated, but usually such a thing would usually cause them to begin updating code immediately.

Any malware you found especially interesting to reverse (maybe because they did something different)?

I really like Dridex because it's just so much more sophisticated than anything else around these days.

Does pineapple belong on pizza?

I'm not against it, but I don't like it either.

Are you sit, or sat?

sitted

Is the website root-me a good way to learn about cyber security ?

Not actually tried it.

Which papers doxxed you?

Not going to name names, as I don't want to instigate anything.

If you were so against being identified, why were you doing so many interviews? And since being "doxxed", why have you invited journalists into your home? This all seems very counter to your original stance on being "anonymous".

If you look at all the voice interviews I did prior to being identified (assuming they haven't been cut), every single one is designed to clarify I haven't permanently stopped the attack and people still need to patch ASAP, ideally before Monday when we suspected another attack would take shape.

Once I did get identified a friend in PR called and warned me that as long as there was a possibility of "the first face to face interview with MalwareTech" journalists would continue hanging around outside my house and harassing people who know me irl. They recommended I pick the biggest news organisation I could find and do a single face to face interview; which would mean there was no story left to be had and other news organisations would leave from outside my house. My boss and I decided on Associated Press for the exclusive as they are the most respectable and didn't harass my friends/family, and sure enough the morning after the interview went live, there were no journalists to be seen (except for a couple of BBC ones because BBC aren't allowed to publish material from Associated Press).