I think it's hilarious how these "kill switches" are supposedly meant to detect sandboxes, to make it harder for security researchers to analyze the malware. While actually making it easy for security researchers to completely disable all installations around the entire world.
That's just what I heard, but it makes sense. There are far more sane ways to implement a kill switch without using unregistered domains. (For instance, using a registered domain.)
The point of the killswitch is to detect if the worm is running inside a sandbox. Some sandboxes will resolve any domain you try to ping, so an easy way to detect this is to ping a non-existent domain name. I'm not totally sure how pinging an existing domain would give you the same behavior, but doing something like checking a handful of random non-existent domains from a large list could do the trick.
From the sounds of it, it seems like the researchers didn't expect the killswitch to disable the malware outside of the sandbox any more than the author of the malware did[0].
That's just what I heard, but it makes sense. There are far more sane ways to implement a kill switch without using unregistered domains. (For instance, using a registered domain.)