SoylentNews

CryptoWall Ransomware Variant Gets New Defenses

posted by LaminatorX on Sunday January 11 2015, @07:17AM   
from the another-brick dept.

AnonTechie writes:

CryptoWall, one of a family of malware programs that encrypts files and demands a ransom from victims, has undergone a revamp that is frustrating security researchers.

Cisco's Talos Security Intelligence and Research Group has now analyzed a second version of CryptoWall that has improvements that make it harder to detect and study.

The sample of CryptoWall analyzed by Cisco was sent via email in a ".zip" attachment. Contained in that attachment is an exploit that uses a Microsoft privilege escalation vulnerability, CVE-2013-3660 ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3660 ), to gain greater control over the computer, Carter said.

If opened, CryptoWall doesn't decrypt its whole binary but instead just a small part, which then checks to see if it is running in a virtual environment, Carter said.

CryptoWall won't continue to decrypt itself if it is running in a virtual machine. Files are sometimes analyzed in a sandbox within a virtual machine to check if they're possibly malicious.

http://www.computerworld.com/article/2865303/cryptowall-ransomware-variant-gets-new-defenses.html

Cisco has a full technical writeup on its blog. http://blogs.cisco.com/security/talos/cryptowall-2

• Re:Easy defense Re:Easy defense (Score: 2) by zocalo on Sunday January 11 2015, @03:32PM

  by zocalo (302) on Sunday January 11 2015, @03:32PM (#133704)

  Sure, which is why I brought security by obscurity up; it's a tool that can be used, but not one that should ever be relied on to be foolproof. To provide the expected car analogy, I think this is more akin to having a car alarm vs. not having one; any competent car thief is going to be able to circumvent an alarm but they are far more likely to just go for the car that doesn't have one further up the street - at least until almost all cars have alarms. It's kind of like the early days of OSX in that respect when no one bothered to target it because the market penetration was too low to worry about it, but now that Macs are much more popular we are seeing lots of malware and even bootkits in the wild.
  
  There's also the question of risk vs. reward for the Cryptowall operators; the more tests they do to determine the nature of the environment the more likely they are to trigger the heuristics of a security package, and now that this point has been raised you can bet that any AV tools that don't already do so will shortly be raising a metaphorical heuristic eyebrow at any software that checks for VM state (mine already does). More tests also potentially present more opportunies for being spoofed by malware researchers into getting the code to run within their sandbox; the whole reason they have implemented this step in the first place - another reason for them to KISS and just move on if the code detects a VM. There are, at least for now, plenty of easier cars on the street.

  --
  UNIX? They're not even circumcised! Savages!

  Parent

  Starting Score:	1		point
  Karma-Bonus Modifier		+1
  Total Score:		2

• Re:Easy defense (Score: 2) by opinionated_science on Sunday January 11 2015, @05:07PM

  by opinionated_science (4031) on Sunday January 11 2015, @05:07PM (#133728)

  ultimately, if you have a mathematical mind, all computing is a state machine. The state change from being "without malware" and "with malware" is clearly atomic and usually (USB/CDROM excepted!!) network transmitted.

  Hence, if the network traffic is sandbox and perhaps network *initiated* actions caught by COW, I would think this malware would be foiled.

  But as we know.. "There are two sorts of people in this world. Those who backup and those who WILL back up...." (D.Adams).

  Parent