CryptoWall, one of a family of malware programs that encrypts files and demands a ransom from victims, has undergone a revamp that is frustrating security researchers.
Cisco's Talos Security Intelligence and Research Group has now analyzed a second version of CryptoWall that has improvements that make it harder to detect and study.
The sample of CryptoWall analyzed by Cisco was sent via email in a ".zip" attachment. Contained in that attachment is an exploit that uses a Microsoft privilege escalation vulnerability, CVE-2013-3660 ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3660 ), to gain greater control over the computer, Carter said.
If opened, CryptoWall doesn't decrypt its whole binary but instead just a small part, which then checks to see if it is running in a virtual environment, Carter said.
CryptoWall won't continue to decrypt itself if it is running in a virtual machine. Files are sometimes analyzed in a sandbox within a virtual machine to check if they're possibly malicious.
http://www.computerworld.com/article/2865303/cryptowall-ransomware-variant-gets-new-defenses.html
Cisco has a full technical writeup on its blog. http://blogs.cisco.com/security/talos/cryptowall-2
(Score: 3, Insightful) by Anonymous Coward on Sunday January 11 2015, @07:34AM
So if I simply do all of my daily work inside virtual machines, I am now safe from this crap? (or, at least, all of it's modern versions)?
Cool!
(Score: 2) by Bot on Sunday January 11 2015, @08:22AM
And *maybe* disabling the VM processor flags fool the malware into thinking you are in a VM while you're not, so you might even go at native speed. BIOSes let you do that, I dunno about newer UEFI crap.
Account abandoned.
(Score: 2) by zocalo on Sunday January 11 2015, @01:01PM
UNIX? They're not even circumcised! Savages!
(Score: 2) by opinionated_science on Sunday January 11 2015, @02:51PM
the problem with security by obscurity, is the obscurity can be overcome by criminality...
this is the problem with using our taxes to pay for Govt spying.
Anything that helps the govt helps the criminals too....
The only defence against this sort of thing is to partition your system. e.g important data on separate machine. Invest in getting a COW (Copy on write) filesystem. Backup once in a while.
Remember this malware is always looking for the lowest common denominator...
(Score: 2) by zocalo on Sunday January 11 2015, @03:32PM
There's also the question of risk vs. reward for the Cryptowall operators; the more tests they do to determine the nature of the environment the more likely they are to trigger the heuristics of a security package, and now that this point has been raised you can bet that any AV tools that don't already do so will shortly be raising a metaphorical heuristic eyebrow at any software that checks for VM state (mine already does). More tests also potentially present more opportunies for being spoofed by malware researchers into getting the code to run within their sandbox; the whole reason they have implemented this step in the first place - another reason for them to KISS and just move on if the code detects a VM. There are, at least for now, plenty of easier cars on the street.
UNIX? They're not even circumcised! Savages!
(Score: 2) by opinionated_science on Sunday January 11 2015, @05:07PM
ultimately, if you have a mathematical mind, all computing is a state machine. The state change from being "without malware" and "with malware" is clearly atomic and usually (USB/CDROM excepted!!) network transmitted.
Hence, if the network traffic is sandbox and perhaps network *initiated* actions caught by COW, I would think this malware would be foiled.
But as we know.. "There are two sorts of people in this world. Those who backup and those who WILL back up...." (D.Adams).
(Score: 2) by kaszz on Sunday January 11 2015, @04:58PM
Regarding a Copy-On-Write filesystem such as Btrfs. What method is the practical way to make use of it?
* Union mount
* Snapshot
* File cloning (perhaps quite resource consuming..)
And backup is really the real solution. But still.
(Score: 2) by opinionated_science on Sunday January 11 2015, @05:10PM
well I'm using ZFS-on-linux, and I am completely amazing by it. I did try BTRFS for a bit but I am still waiting for them to "work out the bugs". I had one of those "SSD killers" hit me, but fortunately this is an enterprise SSD and so not so bothered...
Still I can see why people would be a bit nervous, but ultimately it is preferable to ZFS. BTRFS is IN the kernel and will always be there. ZFS is external and requires work to stay in sync.
If Larry ever wants to convince he is NOT evil, he should relicense ZFS so it can be included in Linux.... I'm not holding my breath on that one!!!
(Score: 2) by kaszz on Sunday January 11 2015, @06:28PM
How does these "SSD killers" happen?
Why is non-GPL code "evil" ? and what is the specifics in CDDL that makes it GPL incompatible?
(I guess CDDL is BSD compatible?)
(Score: 2) by opinionated_science on Sunday January 11 2015, @06:44PM
there was a bug in BTRFS before 3.19 that when a file got full, it got into a "i can't write" loop, that essentially overwrote the same piece of the journal again and again...
Or something like that. The comment in the kernel was "Oops! Another SSD Killer caught there...", hence I like the phrase. I read somewhere that non enterprise SSDs have a lot fewer "spare" cells, and this sort of frantic rewriting (oh forgot to mention it was doing it at 250MB/s!! Got to love SSD speeds!! ), will simply burn through the spare cells.
Perhaps someone out there really knows the technology ,but suffice to say I will not touch BTRFS for a few months....!
(Score: 2) by kaszz on Monday January 12 2015, @12:13AM
Seems just in line with Linux wild west programming ;)
ZFS is nice but has some horrendous RAM requirements.
Perhaps there's any alternative for that evil demon line of operating systems, like the "free" one? ;-)
(Score: 2) by opinionated_science on Monday January 12 2015, @04:26PM
I sprung for as much RAM as I could get in a box for my calculations - RAM is not the problem. I could do with a 1000 TFlop GPU though.....
(Score: 2) by kaszz on Monday January 12 2015, @04:40PM
How many GFlop GPU do you get now? and with what hardware?
And for what application?
(Score: 2) by opinionated_science on Monday January 12 2015, @06:39PM
GROMACS, 2xGTX980, 10TFLOPs (single), though I thing it runs at ~2TFLOP (single). 3D FFT is a problem... Will give some Xeon Phi's a try soon.
(Score: 3, Informative) by Hairyfeet on Monday January 12 2015, @02:59AM
But sometimes obscurity works well, so why not use it? With my customers I use Paragon Backup & Recovery Free [paragon-software.com] and because its not on the bad guy's radars it works VERY well. You just set up Paragon and have it set up a backup capsule (which is a hidden partition with your encrypted backups) and set how often you want it to back up and voila! If they get infected with a nasty they just load the Paragon boot CD I give them, pick a time before they got pwned, and let it rip. Its not quite as nice and easy as Comodo Time Machine but sadly Comodo stopped supporting CTM a couple years ago so if they run anything newer than Win 7 I'd be leery of running CTM.
So as long as the security by obscurity benefits you? I don't see a problem with using it as long as that isn't ALL you have, just as I have my customers get USB HDDs and plug them in once a month so they have offline backups as well as the backup capsule so that if a bad guy manages to get their backup capsule they aren't just screwed. You should never bet on SBO but if what you are using is under the radar? I see no problem with enjoying SBO as a nice bonus.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by FatPhil on Sunday January 11 2015, @03:03PM
There's a flipside too. Analysts who want to examine the malware can simply evade the "enumerating badness" that the malware performs:
http://blogs.cisco.com/wp-content/uploads/cryptowall-2.jpg
Evaluating badness is never a long-term solution to any security problem.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Sunday January 11 2015, @06:47PM
OH noes my VM got trashed. Now I have to wait a whole 5 minutes to restore my snapshot.
(Score: 4, Informative) by FatPhil on Sunday January 11 2015, @03:14PM
"""
To maintain persistence, an auto-start registry value is added in:
* HKCU\Software\Microsoft\Windows\CurrentVersion\Run
* HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Note: The RunOnce value is preceded by a (*) so that the process starts even in Safe Mode.
"""
That note made me laugh. Could it really be that MS decided that there would be a "safe" mode which wouldn't run potentially-unsafe programs listed in RunOnce, and *then* decided that really really important programs should be able to override that "safe" mode?
"""
By default, these keys are ignored when the computer is started in Safe Mode. The value name of RunOnce keys can be prefixed with an asterisk (*) to force the program to run even in Safe mode.
""" -- http://msdn.microsoft.com/en-us/library/aa376977%28v=vs.85%29.aspx
I.e.: Yes.
Who could possibly ever have imagined that malware might start using the asterisk? MS Windows' "security" really is a sad joke.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1) by KilroySmith on Sunday January 11 2015, @04:12PM
"safe mode" isn't intended as a anti-malware feature. It's intended to get around bad drivers or bad apps that crash the system on boot.
(Score: 2) by FatPhil on Monday January 12 2015, @05:16PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Sunday January 11 2015, @04:33PM
I thought the same thing when I read this on Ars Technica a couple weeks ago, but I think the malware already has root access at the point it does that by way of a privilege escalation exploit. I'm guessing that's required to edit these configurations and normal userspace applications aren't allowed to do that, but I know zero about how Windows works. If userspace applications are able to edit critical things like that, then yes, it's a fucking joke of a security model. But Windows was never really designed to be a secure OS, so that's what you get with that.
Still, prefixing an asterisk to have this kind of a special meaning is a really stupid design - rather indicative of how software engineers in Redmond do things.
(Score: 3, Insightful) by SuperCharlie on Sunday January 11 2015, @05:30PM
With all the known exploits and then the ones that are sold at high price exchanges, 0 day exploits, and people who don't stay updated for whatever reasons, you end up with the same whack a mole where they just update the exploit and keep going. I'm glad they found this particular one, but I would be surprised if the notification that it is found just makes them click next exploit on the list.
(Score: 2) by kaszz on Sunday January 11 2015, @05:46PM
"Contained in that attachment is an exploit that uses a Microsoft privilege escalation vulnerability"
In other words. If security matters, don't use Microsoft products!
On a deeper level combining sensitive storage and communication tools that will interpretate and execute foreign data is a bad combination. Versioned storage and interpretation of fewer tags is perhaps a way mitigate this. Compartmentalization by using jails and VMs is perhaps another but more cumbersome way.
Perhaps some people will see the evil backside of allowing html i in email and then interpretate that shit..
(Score: 0) by Anonymous Coward on Sunday January 11 2015, @07:17PM
TFA even mentions that the exploit is from 2013. Either it gets people who are not fully patched or answer "Continue" to the UAC prompt.
(Score: 0) by Anonymous Coward on Sunday January 11 2015, @07:10PM
Add these entries to your HOSTS file to blacklist the Cryptowall 'phone home' to its TOR servers:
(Score: 0) by Anonymous Coward on Sunday January 11 2015, @07:16PM
The first two addresses have 'commas' which should be replaced by 'full stops'
(Score: 0) by Anonymous Coward on Sunday January 11 2015, @07:20PM
I just worked around your hosts file
abcd.eportfolio.ccpullman,ca
abcd.ccpullman,ca
abcd.mg-unterburg.ch
abcd.sportantiques.co.uk
abcd.mcgownguild.com
abcd.drk-wettringen.de
abcd.rock-times.com
abcd.footstepsphotography.co.uk
abcd.choosingcruising.co.uk
abcd.felixwoman.com
abcd.projetorideal.com.br
abcd.jimcole.be
abcd.jes.or.at
abcd.artpartner.cz
abcd.meihuainfo.com
abcd.grekiskaforeningen.com
abcd.cup-neumann.de
abcd.areaverda.com
abcd.yemekyapmak.com
You need a real DNS server to pull off what you are trying to do.
(Score: 0) by Anonymous Coward on Sunday January 11 2015, @07:42PM
A software program which hooks 'Ring 0' and runs as an always-on driver-service.
At the configuration window for our program, we have an edit field which is named 'Blacklist'. Any path/folder/file entered into Blacklist will be flagged if touched and our program redirects all related processes into a sandbox and opens a dialog with the user.
Problem solved.
On Windows systems, I think you can do this with Sandboxie (shareware).
(Score: 2) by cmn32480 on Sunday January 11 2015, @09:42PM
Sadly, Sandboxie is no longer shareware. It is now a subscription product.... see: http://www.sandboxie.com/index.php?HomeUse [sandboxie.com]
"It's a dog eat dog world, and I'm wearing Milkbone underwear" - Norm Peterson
(Score: 0) by Anonymous Coward on Sunday January 11 2015, @10:17PM
KickassTorrents - search results for "Sandboxie" [kickass.so]
Torrentz index - search results for "Sandboxie" [torrentz.eu]
To be quite honest, considering the level of sophistication of malware today, I have no ethical problem with personal computer users on the Windows platform downloading and installing cracked versions of Sandboxie and setting it up to protect the hosts file and running all their browsers through sandboxes. They are doing themselves and the wider internet community a favor. Concerns about piracy in this instance can be thrown in the garbage bin.
(Score: 2) by cafebabe on Friday January 23 2015, @01:55AM
Securing a black box with a black box is idiotic even if you get it from the approved vendor. Knowingly installing tampered software is a transfer of trust from an accountable party to an unaccountable party. This is not a favor to the wider Internet community.
1702845791×2
(Score: 1, Informative) by Anonymous Coward on Monday January 12 2015, @07:05PM
Sandboxie is good for running untrusted programs inside sandbox containers (such as your web browser) as well as protecting processes from tampering. It is not used for protecting selected files and folders.
To protect the HOSTS file from tampering, this is the program you want:
Secure Folders (freeware) [securefoldersfree.com]
Product Description
I bet you have files and folders on your computer that you would like to protect in one way or another. Whether you want to hide, lock or set folders as read-only, Secure Folders will help you out, and for free. You can also use the application to set a no-execution protection to the folders you select.
Secure Folders can help you protect as many files or folders as you want irrespective of their sizes. It uses a stealth protection engine that even advanced computer users cannot reveal.
You can either install the application in the standard way or as a portable application that remains hidden. You can install it on a USB drive and use it on different computers without the need for any more installation. The application allows you to set password protection for both uninstall and application settings. You can open application settings using a hotkey.
Using Secure Folders is easy. You can browse and select files and folders or drag them to the program’s window and then select the type of protection you want.
Features:
- Unlimited number and size of files can be protected
- Hidden (portable) installation support. Application can be installed to USB drive
- Password protection for application settings and uninstall
- Windows Explorer context menu integration
- Ability to configure applications excluded from protection
- File paths can include wildcard masks
- Hot key to open application settings
- Application has no performance impact on your system
- Extremely easy-to-use user interface
Combining 'Secure Folders' and 'Sandboxie' into a protective suite......
we can use 'Secure Folders' to protect the HOSTS file from being tampered, and then configure 'Sandboxie' to protect the 'Secure Folders' executable from being tampered.