SoylentNews is people
SoylentNews
CryptoWall, one of a family of malware programs that encrypts files and demands a ransom from victims, has undergone a revamp that is frustrating security researchers.
Cisco's Talos Security Intelligence and Research Group has now analyzed a second version of CryptoWall that has improvements that make it harder to detect and study.
The sample of CryptoWall analyzed by Cisco was sent via email in a ".zip" attachment. Contained in that attachment is an exploit that uses a Microsoft privilege escalation vulnerability, CVE-2013-3660 ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3660 ), to gain greater control over the computer, Carter said.
If opened, CryptoWall doesn't decrypt its whole binary but instead just a small part, which then checks to see if it is running in a virtual environment, Carter said.
CryptoWall won't continue to decrypt itself if it is running in a virtual machine. Files are sometimes analyzed in a sandbox within a virtual machine to check if they're possibly malicious.
http://www.computerworld.com/article/2865303/cryptowall-ransomware-variant-gets-new-defenses.html
Cisco has a full technical writeup on its blog. http://blogs.cisco.com/security/talos/cryptowall-2
(Score: 2) by FatPhil on Sunday January 11 2015, @03:03PM
There's a flipside too. Analysts who want to examine the malware can simply evade the "enumerating badness" that the malware performs:
http://blogs.cisco.com/wp-content/uploads/cryptowall-2.jpg
Evaluating badness is never a long-term solution to any security problem.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Sunday January 11 2015, @06:47PM
OH noes my VM got trashed. Now I have to wait a whole 5 minutes to restore my snapshot.