SoylentNews is people
SoylentNews
CryptoWall, one of a family of malware programs that encrypts files and demands a ransom from victims, has undergone a revamp that is frustrating security researchers.
Cisco's Talos Security Intelligence and Research Group has now analyzed a second version of CryptoWall that has improvements that make it harder to detect and study.
The sample of CryptoWall analyzed by Cisco was sent via email in a ".zip" attachment. Contained in that attachment is an exploit that uses a Microsoft privilege escalation vulnerability, CVE-2013-3660 ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3660 ), to gain greater control over the computer, Carter said.
If opened, CryptoWall doesn't decrypt its whole binary but instead just a small part, which then checks to see if it is running in a virtual environment, Carter said.
CryptoWall won't continue to decrypt itself if it is running in a virtual machine. Files are sometimes analyzed in a sandbox within a virtual machine to check if they're possibly malicious.
http://www.computerworld.com/article/2865303/cryptowall-ransomware-variant-gets-new-defenses.html
Cisco has a full technical writeup on its blog. http://blogs.cisco.com/security/talos/cryptowall-2
(Score: 0) by Anonymous Coward on Sunday January 11 2015, @04:33PM
I thought the same thing when I read this on Ars Technica a couple weeks ago, but I think the malware already has root access at the point it does that by way of a privilege escalation exploit. I'm guessing that's required to edit these configurations and normal userspace applications aren't allowed to do that, but I know zero about how Windows works. If userspace applications are able to edit critical things like that, then yes, it's a fucking joke of a security model. But Windows was never really designed to be a secure OS, so that's what you get with that.
Still, prefixing an asterisk to have this kind of a special meaning is a really stupid design - rather indicative of how software engineers in Redmond do things.