SoylentNews is people
SoylentNews
CryptoWall, one of a family of malware programs that encrypts files and demands a ransom from victims, has undergone a revamp that is frustrating security researchers.
Cisco's Talos Security Intelligence and Research Group has now analyzed a second version of CryptoWall that has improvements that make it harder to detect and study.
The sample of CryptoWall analyzed by Cisco was sent via email in a ".zip" attachment. Contained in that attachment is an exploit that uses a Microsoft privilege escalation vulnerability, CVE-2013-3660 ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3660 ), to gain greater control over the computer, Carter said.
If opened, CryptoWall doesn't decrypt its whole binary but instead just a small part, which then checks to see if it is running in a virtual environment, Carter said.
CryptoWall won't continue to decrypt itself if it is running in a virtual machine. Files are sometimes analyzed in a sandbox within a virtual machine to check if they're possibly malicious.
http://www.computerworld.com/article/2865303/cryptowall-ransomware-variant-gets-new-defenses.html
Cisco has a full technical writeup on its blog. http://blogs.cisco.com/security/talos/cryptowall-2
(Score: 3, Insightful) by Anonymous Coward on Sunday January 11 2015, @07:34AM
So if I simply do all of my daily work inside virtual machines, I am now safe from this crap? (or, at least, all of it's modern versions)?
Cool!
(Score: 2) by Bot on Sunday January 11 2015, @08:22AM
And *maybe* disabling the VM processor flags fool the malware into thinking you are in a VM while you're not, so you might even go at native speed. BIOSes let you do that, I dunno about newer UEFI crap.
Account abandoned.
(Score: 2) by zocalo on Sunday January 11 2015, @01:01PM
UNIX? They're not even circumcised! Savages!
(Score: 2) by opinionated_science on Sunday January 11 2015, @02:51PM
the problem with security by obscurity, is the obscurity can be overcome by criminality...
this is the problem with using our taxes to pay for Govt spying.
Anything that helps the govt helps the criminals too....
The only defence against this sort of thing is to partition your system. e.g important data on separate machine. Invest in getting a COW (Copy on write) filesystem. Backup once in a while.
Remember this malware is always looking for the lowest common denominator...
(Score: 2) by zocalo on Sunday January 11 2015, @03:32PM
There's also the question of risk vs. reward for the Cryptowall operators; the more tests they do to determine the nature of the environment the more likely they are to trigger the heuristics of a security package, and now that this point has been raised you can bet that any AV tools that don't already do so will shortly be raising a metaphorical heuristic eyebrow at any software that checks for VM state (mine already does). More tests also potentially present more opportunies for being spoofed by malware researchers into getting the code to run within their sandbox; the whole reason they have implemented this step in the first place - another reason for them to KISS and just move on if the code detects a VM. There are, at least for now, plenty of easier cars on the street.
UNIX? They're not even circumcised! Savages!
(Score: 2) by opinionated_science on Sunday January 11 2015, @05:07PM
ultimately, if you have a mathematical mind, all computing is a state machine. The state change from being "without malware" and "with malware" is clearly atomic and usually (USB/CDROM excepted!!) network transmitted.
Hence, if the network traffic is sandbox and perhaps network *initiated* actions caught by COW, I would think this malware would be foiled.
But as we know.. "There are two sorts of people in this world. Those who backup and those who WILL back up...." (D.Adams).
(Score: 2) by kaszz on Sunday January 11 2015, @04:58PM
Regarding a Copy-On-Write filesystem such as Btrfs. What method is the practical way to make use of it?
* Union mount
* Snapshot
* File cloning (perhaps quite resource consuming..)
And backup is really the real solution. But still.
(Score: 2) by opinionated_science on Sunday January 11 2015, @05:10PM
well I'm using ZFS-on-linux, and I am completely amazing by it. I did try BTRFS for a bit but I am still waiting for them to "work out the bugs". I had one of those "SSD killers" hit me, but fortunately this is an enterprise SSD and so not so bothered...
Still I can see why people would be a bit nervous, but ultimately it is preferable to ZFS. BTRFS is IN the kernel and will always be there. ZFS is external and requires work to stay in sync.
If Larry ever wants to convince he is NOT evil, he should relicense ZFS so it can be included in Linux.... I'm not holding my breath on that one!!!
(Score: 2) by kaszz on Sunday January 11 2015, @06:28PM
How does these "SSD killers" happen?
Why is non-GPL code "evil" ? and what is the specifics in CDDL that makes it GPL incompatible?
(I guess CDDL is BSD compatible?)
(Score: 2) by opinionated_science on Sunday January 11 2015, @06:44PM
there was a bug in BTRFS before 3.19 that when a file got full, it got into a "i can't write" loop, that essentially overwrote the same piece of the journal again and again...
Or something like that. The comment in the kernel was "Oops! Another SSD Killer caught there...", hence I like the phrase. I read somewhere that non enterprise SSDs have a lot fewer "spare" cells, and this sort of frantic rewriting (oh forgot to mention it was doing it at 250MB/s!! Got to love SSD speeds!! ), will simply burn through the spare cells.
Perhaps someone out there really knows the technology ,but suffice to say I will not touch BTRFS for a few months....!
(Score: 2) by kaszz on Monday January 12 2015, @12:13AM
Seems just in line with Linux wild west programming ;)
ZFS is nice but has some horrendous RAM requirements.
Perhaps there's any alternative for that evil demon line of operating systems, like the "free" one? ;-)
(Score: 2) by opinionated_science on Monday January 12 2015, @04:26PM
I sprung for as much RAM as I could get in a box for my calculations - RAM is not the problem. I could do with a 1000 TFlop GPU though.....
(Score: 2) by kaszz on Monday January 12 2015, @04:40PM
How many GFlop GPU do you get now? and with what hardware?
And for what application?
(Score: 2) by opinionated_science on Monday January 12 2015, @06:39PM
GROMACS, 2xGTX980, 10TFLOPs (single), though I thing it runs at ~2TFLOP (single). 3D FFT is a problem... Will give some Xeon Phi's a try soon.
(Score: 3, Informative) by Hairyfeet on Monday January 12 2015, @02:59AM
But sometimes obscurity works well, so why not use it? With my customers I use Paragon Backup & Recovery Free [paragon-software.com] and because its not on the bad guy's radars it works VERY well. You just set up Paragon and have it set up a backup capsule (which is a hidden partition with your encrypted backups) and set how often you want it to back up and voila! If they get infected with a nasty they just load the Paragon boot CD I give them, pick a time before they got pwned, and let it rip. Its not quite as nice and easy as Comodo Time Machine but sadly Comodo stopped supporting CTM a couple years ago so if they run anything newer than Win 7 I'd be leery of running CTM.
So as long as the security by obscurity benefits you? I don't see a problem with using it as long as that isn't ALL you have, just as I have my customers get USB HDDs and plug them in once a month so they have offline backups as well as the backup capsule so that if a bad guy manages to get their backup capsule they aren't just screwed. You should never bet on SBO but if what you are using is under the radar? I see no problem with enjoying SBO as a nice bonus.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 2) by FatPhil on Sunday January 11 2015, @03:03PM
There's a flipside too. Analysts who want to examine the malware can simply evade the "enumerating badness" that the malware performs:
http://blogs.cisco.com/wp-content/uploads/cryptowall-2.jpg
Evaluating badness is never a long-term solution to any security problem.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Sunday January 11 2015, @06:47PM
OH noes my VM got trashed. Now I have to wait a whole 5 minutes to restore my snapshot.