Stories
Slash Boxes
Comments

SoylentNews is people

CryptoWall Ransomware Variant Gets New Defenses

posted by LaminatorX on Sunday January 11 2015, @07:17AM   Printer-friendly
from the another-brick dept.

AnonTechie writes:

CryptoWall, one of a family of malware programs that encrypts files and demands a ransom from victims, has undergone a revamp that is frustrating security researchers.

Cisco's Talos Security Intelligence and Research Group has now analyzed a second version of CryptoWall that has improvements that make it harder to detect and study.

The sample of CryptoWall analyzed by Cisco was sent via email in a ".zip" attachment. Contained in that attachment is an exploit that uses a Microsoft privilege escalation vulnerability, CVE-2013-3660 ( http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3660 ), to gain greater control over the computer, Carter said.

If opened, CryptoWall doesn't decrypt its whole binary but instead just a small part, which then checks to see if it is running in a virtual environment, Carter said.

CryptoWall won't continue to decrypt itself if it is running in a virtual machine. Files are sometimes analyzed in a sandbox within a virtual machine to check if they're possibly malicious.

http://www.computerworld.com/article/2865303/cryptowall-ransomware-variant-gets-new-defenses.html

Cisco has a full technical writeup on its blog. http://blogs.cisco.com/security/talos/cryptowall-2

 
This discussion has been archived. No new comments can be posted.
CryptoWall Ransomware Variant Gets New Defenses | Log In/Create an Account | Top | 32 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by kaszz on Sunday January 11 2015, @05:46PM

    by kaszz (4211) on Sunday January 11 2015, @05:46PM (#133739) Journal

    "Contained in that attachment is an exploit that uses a Microsoft privilege escalation vulnerability"

    In other words. If security matters, don't use Microsoft products!

    On a deeper level combining sensitive storage and communication tools that will interpretate and execute foreign data is a bad combination. Versioned storage and interpretation of fewer tags is perhaps a way mitigate this. Compartmentalization by using jails and VMs is perhaps another but more cumbersome way.

    Perhaps some people will see the evil backside of allowing html i in email and then interpretate that shit..

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Sunday January 11 2015, @07:17PM

    by Anonymous Coward on Sunday January 11 2015, @07:17PM (#133769)

    TFA even mentions that the exploit is from 2013. Either it gets people who are not fully patched or answer "Continue" to the UAC prompt.