In a statement on Thursday, a company spokesperson said the malware, which FireEye named SUNBURST, would not work under certain conditions which were returned when it attempted to resolve the domain avsvmcloud[.]com.
"Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections," a spokesperson said.
A number of US Government departments — Homeland Security and Treasury among them — have been named as being affected. FireEye, too, appears to have been a victim. The Orion software has very wide usage in the US and also in Britain.
FireEye and Microsoft researchers said the activity had been detected at multiple entities worldwide. "The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East," they wrote. "We anticipate there are additional victims in other countries and verticals."
The compromised component was named as SolarWinds.Orion.Core.BusinessLayer.dll, a digitally signed part of the Orion software. This contained a backdoor that communicated with third-party servers using HTTP.
Of the killswitch, FireEye said it had devised the method to stop the malware in collaboration with domain vendor GoDaddy and Microsoft.
"This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com," the FireEye spokesperson said.
"However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access victim networks beyond the SUNBURST backdoor.
"This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of SUNBURST."