The firm he works for literally pays him to track size and scale of malware outbreaks. Whats the best way to do that? Look for domains the malware attempts to communicate with and register them, pointing them at the firm's sinkhole server. From there the server can generate reports on how many connections it gets and from where.

He did what he would of done to any malware once he found an unregistered domain, he registered it. He didn't realise the malware was using that domain as a killswitch.