SoylentNews is people
SoylentNews
CryptoWall, one of a family of malware programs that encrypts files and demands a ransom from victims, has undergone a revamp that is frustrating security researchers.
Cisco's Talos Security Intelligence and Research Group has now analyzed a second version of CryptoWall that has improvements that make it harder to detect and study.
The sample of CryptoWall analyzed by Cisco was sent via email in a ".zip" attachment. Contained in that attachment is an exploit that uses a Microsoft privilege escalation vulnerability, CVE-2013-3660 ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3660 ), to gain greater control over the computer, Carter said.
If opened, CryptoWall doesn't decrypt its whole binary but instead just a small part, which then checks to see if it is running in a virtual environment, Carter said.
CryptoWall won't continue to decrypt itself if it is running in a virtual machine. Files are sometimes analyzed in a sandbox within a virtual machine to check if they're possibly malicious.
http://www.computerworld.com/article/2865303/cryptowall-ransomware-variant-gets-new-defenses.html
Cisco has a full technical writeup on its blog. http://blogs.cisco.com/security/talos/cryptowall-2
(Score: 4, Informative) by FatPhil on Sunday January 11 2015, @03:14PM
"""
To maintain persistence, an auto-start registry value is added in:
* HKCU\Software\Microsoft\Windows\CurrentVersion\Run
* HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Note: The RunOnce value is preceded by a (*) so that the process starts even in Safe Mode.
"""
That note made me laugh. Could it really be that MS decided that there would be a "safe" mode which wouldn't run potentially-unsafe programs listed in RunOnce, and *then* decided that really really important programs should be able to override that "safe" mode?
"""
By default, these keys are ignored when the computer is started in Safe Mode. The value name of RunOnce keys can be prefixed with an asterisk (*) to force the program to run even in Safe mode.
""" -- http://msdn.microsoft.com/en-us/library/aa376977%28v=vs.85%29.aspx
I.e.: Yes.
Who could possibly ever have imagined that malware might start using the asterisk? MS Windows' "security" really is a sad joke.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1) by KilroySmith on Sunday January 11 2015, @04:12PM
"safe mode" isn't intended as a anti-malware feature. It's intended to get around bad drivers or bad apps that crash the system on boot.
(Score: 2) by FatPhil on Monday January 12 2015, @05:16PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Sunday January 11 2015, @04:33PM
I thought the same thing when I read this on Ars Technica a couple weeks ago, but I think the malware already has root access at the point it does that by way of a privilege escalation exploit. I'm guessing that's required to edit these configurations and normal userspace applications aren't allowed to do that, but I know zero about how Windows works. If userspace applications are able to edit critical things like that, then yes, it's a fucking joke of a security model. But Windows was never really designed to be a secure OS, so that's what you get with that.
Still, prefixing an asterisk to have this kind of a special meaning is a really stupid design - rather indicative of how software engineers in Redmond do things.