Inside Cryptowall 2.0 Ransomware

msm1267 writes: If you need more evidence that ransomware is here to stay, and could turn into cybercriminals' weapon of choice, look no further than Cryptowall. Researchers at Cisco's Talos group have published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this threat, such as its use of the Tor anonymity network to disguise command-and-control communication. But perhaps more telling about the commitment around ransomware is the investment attackers made in its capabilities to detect execution in virtual environments, building in many stages of decryption present before the ransomware activates, and its ability to detect 32- and 64-bit architectures and executing different versions for each.

Cyptowall is very sophisticated

[roccomaglio]

Cyptowall is very sophisticated. It will go into online backups and encrypt them too. If you are using a common online backup it can find those and encrypt those too. The best protection against this is a usb backup in a drawer. Cyptowall was recently being distributed by yahoo ads via a compromised flash ad http://news.yahoo.com/yahoo-ad.... You could have received it by going to your favorite news site.

Re:Cyptowall is very sophisticated

[rvw]

The best protection is to pull your backups not push. You have whatever is performing you backups connect into the machine, and then pull the backups, not having your machine being backed up connecting to the destination and pushing. That way, the machine can be compromised but it has no clue that it's even being backed up (since it's simply a share that's being used.)

Great and interesting, good to be aware of this possibiilty! But what if the machine that is pulling is infected? How do you know that is not happening?

Re:Cyptowall is very sophisticated

[rvw]

Cyptowall is very sophisticated. It will go into online backups and encrypt them too. If you are using a common online backup it can find those and encrypt those too. The best protection against this is a usb backup in a drawer.

Cyptowall was recently being distributed by yahoo ads via a compromised flash ad http://news.yahoo.com/yahoo-ad.... You could have received it by going to your favorite news site.

I use Crashplan. Couldn't they use a canary of some kind? In my online account I define a file that is just plain text or a key. I upload the text content of that file to my account while the local backup software doesn't know about this. I point to where this file is located in my backup, and it should be identical. Whenever this file is encrypted (or changed), I get an alert via mail. Then I know something is messing with my backup or with my local files.

Re:Cyptowall is very sophisticated

[cdrudge]

Cyptowall was recently being distributed by yahoo ads via a compromised flash ad http://news.yahoo.com/yahoo-ad.... You could have received it by going to your favorite news site.

That article makes no mention of a compromised flash ad. It actually doesn't mention any type of compromise or flash. Yahoo ads served up an ad that took people to a server that could lead to a compromise. Just visiting a page that had that Yahoo ad didn't compromise your machine.

Re:Cyptowall is very sophisticated

[Zocalo]

I wouldn't think that the mechanism by which you perform your backups would make much difference to Cryptowall; how you manage and how long you retain them is far more likely to leave you with a safety net. Unless it gets caught in the act, once Cryptowall gets onto a PC, it encrypts the data first and only then makes its presence known to the victim, so if you've updated your backups in the meantime surely they're as good as useless, regardless of how they were taken? The only way backups might save you from a Cryptowall ransom seems like it would have to be that you still have a known good set that predates the initial infection and (maybe) some incrementals that were backed up before they were encrypted.

Re:Cyptowall is very sophisticated

[jiriw]

First, the machine pulling backups has completely different interaction with the 'world' than your average system-to-be-backed-up. I assume you're not reading e-mail, PDFs or surf the web on the system you use for data backup. Also, it should not execute any of the data it's backing up so the actual backup process should not be an attack vector for malicious software.

If you still want more security you could choose for the machine pulling backups to actually have a different hard and/or software platform than the machines it pulls the backups from. For example, you could have windows desktops and shared SMB partitions that contain the stuff to be backed up and a Linux NAS with Samba client doing the backups using a cronjob. Make sure that, if the NAS does have Samba server as well (for network shares) your backups are not available through them because, as we know of Cryptowall, it will also encrypt network data the infected system have write access to.
There is virtually no malicious software that can infect multiple distinctly different hard / software platforms in the same attack. Although in this particular instance (Cryptowall 2) it does make use of two processor architectures, x86 and AMD64 to do its things...

Re:Cyptowall is very sophisticated

Why would your backup machine be infected? It doesn't have a screen, mouse or keyboard and definitely no web browser and it only does back-ups. How did you infect it?

Re:Cyptowall is very sophisticated

[drooling-dog]

Cyptowall was recently being distributed by yahoo ads via a compromised flash ad

That's why my hosts file includes these entries (among many others):

127.0.0.1 count.3721.yahoo.com
127.0.0.1 yahooads.valuead.com
127.0.0.1 yahoo.nuggad.net
127.0.0.1 agyahooag.112.2o7.net
127.0.0.1 yahoo.ivwbox.de
127.0.0.1 adserver.yahoo.com
127.0.0.1 ae.adserver.yahoo.com
127.0.0.1 au.adserver.yahoo.com
127.0.0.1 cn2.adserver.yahoo.com
127.0.0.1 hk.adserver.yahoo.com
127.0.0.1 in.adserver.yahoo.com
127.0.0.1 us.adserver.yahoo.com
127.0.0.1 pn1.adserver.yahoo.com
127.0.0.1 pn2.adserver.yahoo.com
127.0.0.1 tw2.adserver.yahoo.com
127.0.0.1 a.analytics.yahoo.com
127.0.0.1 y.analytics.yahoo.com
127.0.0.1 srv1.wa.marketingsolutions.yahoo.com
127.0.0.1 srv2.wa.marketingsolutions.yahoo.com
127.0.0.1 srv3.wa.marketingsolutions.yahoo.com
127.0.0.1 advision.webevents.yahoo.com
127.0.0.1 ts.richmedia.yahoo.com
127.0.0.1 adjax.flickr.yahoo.com
127.0.0.1 nz.adserver.yahoo.com
127.0.0.1 sg.adserver.yahoo.com
127.0.0.1 br.adserver.yahoo.com
127.0.0.1 cmk.tw.yahoo.overture.com
127.0.0.1 cn.adserver.yahoo.com
127.0.0.1 tw.adserver.yahoo.com
127.0.0.1 be.adserver.yahoo.com
127.0.0.1 dk.adserver.yahoo.com
127.0.0.1 eu-pn4.adserver.yahoo.com
127.0.0.1 fr.adserver.yahoo.com
127.0.0.1 nl.adserver.yahoo.com
127.0.0.1 se.adserver.yahoo.com
127.0.0.1 uk.adserver.yahoo.com
127.0.0.1 de.adserver.yahoo.com
127.0.0.1 es.adserver.yahoo.com
127.0.0.1 gr.adserver.yahoo.com
127.0.0.1 it.adserver.yahoo.com
127.0.0.1 no.adserver.yahoo.com
127.0.0.1 s.analytics.yahoo.com
127.0.0.1 visit.webhosting.yahoo.com #[WebBug]
127.0.0.1 geo.yahoo.com
127.0.0.1 cm.tw.overture.com #[cm.tw.g.ysm.yahoo.com]
127.0.0.1 cm.west.yahoo.overture.com
127.0.0.1 cmh.tw.yahoo.overture.com
127.0.0.1 cmx.tw.yahoo.overture.com
127.0.0.1 ad.antventure.com #[any-world.ngd.ysm.yahoodns.net]
127.0.0.1 ar.adserver.yahoo.com
127.0.0.1 ca.adserver.yahoo.com
127.0.0.1 cookex.amp.yahoo.com
127.0.0.1 launch.adserver.yahoo.com
127.0.0.1 mx.adserver.yahoo.com
127.0.0.1 o.analytics.yahoo.com
127.0.0.1 z.analytics.yahoo.com

Re:Cyptowall is very sophisticated

[mlts]

That's the rub. The ideal is something like a NetBackup appliance that has deduplication on the backend, the capability for clientside and serverside encryption [1], and the ability for a backup process to go to the client and start snarfing data.

However, unless one has $58,000.00 for a small NetBackup appliance, the only thing that comes even close is Retrospect, which is $2100 for multiple servers, around $1000 for one server. For maximum security, a dedicated, locked down PC is needed so no bad stuff can affect the backup machine. It also doesn't hurt to have an external HDD available to transfer the backup set that will be used for a bare metal restore, because booting and trying to restore from the network can be extremely dicey on a wireless network.

UNIX machines are easier -- bacula and other utilities can do this, but Windows is where the need is for this type of utility, and there isn't anything out there.

There is a niche for this. Both software that can be used on an older machine, as well as a dedicated appliance.

I wouldn't be surprised to see this actually be a niche market, similar to NAS appliances. A box that one plops down, configures, installs a client on Windows, OS X, or Linux, and can do the basic range of backups, be it files, or complete bare metal OS images. A file restore would be just accessing the backup client. A complete image restore could even be telling the appliance to map a USB port to a virtual bootable image, boot the machine via the USB port, and let the application code do the rest from there. That way, the machine is never on the network in a vulnerable state.

[1]: Yes, this kills deduplication... but there are some machines which need to be secured in case the backup appliance gets hacked.

Re:Cyptowall is very sophisticated

Cyptowall is very sophisticated. It will go into online backups and encrypt them too. If you are using a common online backup it can find those and encrypt those too.

What do you mean by online backup? Yes, I've heard it will encrypt connected storage devices, but are you talking about online services like Crashplan, Carbonite, etc? Each online backups service I've used keeps a running history backups (e.g. 30 days). Despite any attempt by Cryptolocker to encrypt, I would assume it would not be able to touch those historical backups.

Re:Cyptowall is very sophisticated

I wouldn't be surprised to see this actually be a niche market, similar to NAS appliances.

There is quite a lively backup appliance market. For example these can do pretty much everything you described.

[1]: Yes, this kills deduplication... but there are some machines which need to be secured in case the backup appliance gets hacked.

You are also completely right here, there is a constant battle between security and deduplication.

Full Disclosure: Posting AC because I am a developer at Unitrends.

Re:Cyptowall is very sophisticated

[aaarrrgggh]

Most of the NAS drives out there have a Linux shell available. We rsync from there whenever possible, and the workstation or server does not have rights to the NAS box.

Nothing is perfect, and the ransomeware might figure out ways to skirt these protections. It really comes down to defense in depth against different threats-- multiple types of backups. The concern I have now is out of space challenges once encryption starts.

Re:Cyptowall is very sophisticated

Use 0.0.0.0 instead of 127.0.0.1

-- not APK

Re:Cyptowall is very sophisticated

[mlts]

Interesting appliance offerings. The 312 and the other desktop model appear quite useful for almost everyone, if the price is right. Just the fact that malware can't go in and "rm -rf /" the device adds significant protection.

The 312/313 look interesting. The $4000 price point isn't cheap, but trying to do something similar, like building a PC with Windows Server 2012 R2 and then finding an application to do the backups, may run into higher costs overall.

IMHO, be it a Unitrends appliance, a machine running bru [1], NetBackup, or anything along those lines, are a must for businesses these days. The Cryptowall/CryptoLocker malware is only going to get worse, and be able to do more stuff [2]

[1]: bru is the only backup utility that allows you to install and restore stuff without having to input a serial number. Quite useful. It also has been around since the early 1990s, and is tried and true. Wish it came with RedHat like it did in ages bygone.

[2]: I will not be surprised to see malware/ransomware start getting even more sophisticated to the point of encrypting files, but having a low level driver in place that allows access... then at some certain date, all file access is locked out. This way, even backups will not be usable. It would also be modular so that it would hook into programs like Mozy, CrashPlan, Carbonite, and others, and encrypt the data as it is sent up.

Re:Cyptowall is very sophisticated

[DigiShaman]

I've personally seen a workstation get hit with a 0 day exploit drive-by-download in Firefox. It's these 3rd party ad server farms that get hacked and start serving out this shit. Doesn't matter if it's Yahoo, CNN, Drudge, MSNBC, Fox News...etc. If they have a contact with one of these ad agencies (and they all do), all it takes is for one of the infected servers to rotate into view for the end user. Really nasty stuff.

Workstation patch management (Windows Security update, app updates etc) helps, but I've blocked TOR traffic from inside corporate firewalls. So far it seems to help keep the command and control from trying to root further into an infected machine. Regardless, if it got infected, it gets nuked and paved with a fresh image.

My approach at dealing with Cryptowall evolves as it does.

Re:Cyptowall is very sophisticated

[tlhIngan]

I wouldn't be surprised to see this actually be a niche market, similar to NAS appliances. A box that one plops down, configures, installs a client on Windows, OS X, or Linux, and can do the basic range of backups, be it files, or complete bare metal OS images. A file restore would be just accessing the backup client. A complete image restore could even be telling the appliance to map a USB port to a virtual bootable image, boot the machine via the USB port, and let the application code do the rest from there. That way, the machine is never on the network in a vulnerable state.

Technically, Microsoft created one, then canned it, as usual.

Windows Home Server contained an EXCELLENT network backup utility - it did image-based backups (but can do file-based restores easily), deduplication, is not accessible via SMB shares, fast, cheap, and a whole lot more. The only downside was it was Windows-only - it could only do NTFS disks because it relies on Volume Shadow Services and on disk-tracking (it finds out what actually changed on disk between runs so it only needs to backup the changed content).

It was a great backup, restore and upgrade tool - the recovery program was a bootable CD, and the drivers it needs are stored with the backup so all you need is a USB thumbdrive, copy a specific folder off the machine's backup and use it with the boot CD so the boot CD can access hard drives and network.

And it was automated - every night every machine would get backed up.

But as is typical for Microsoft, they canned WHS and let the backup program in it die because well, it was too useful.

Re:Cyptowall is very sophisticated

[drooling-dog]

Thank you - I see they've made that change with the latest revision.

Re:Cyptowall is very sophisticated

[roc97007]

Yes, having a backup set that predates infection is the only solution as far as I can see, regardless of how you back up your data.

I have too much data (tens of thousands of photographs -- I do photography for a living) to "back up to a thumb drive". I back up to a regular Desktop hard drive, temporarily inserted into one of those USB "drive toasters". The drive is then marked with a sharpie and put away somewhere safe. Assuming I'm not infected at the time of backup, and I don't do something stupid like insert an uninfected recent backup into an infected machine, I should be ok.

Re:Cyptowall is very sophisticated

I use Crashplan too. Doesn't Crashplan maintain versions, so if your files are encrypted, you could just restore a version from before they were encrypted?

Re:Cyptowall is very sophisticated

[gweihir]

Indeed. A good backup is independent, and that decidedly includes "offline".

Re:Cyptowall is very sophisticated

[linuxrocks123]

Chuck Norris backs up his computer to single-write BD-Rs. Then he roundkicks your face.

I also do that, but not the face-kick part.

Re:Cyptowall is very sophisticated

[bmo]

It's these 3rd party ad server farms that get hacked and start serving out this shit. Doesn't matter if it's Yahoo, CNN, Drudge, MSNBC, Fox News...etc. If they have a contact with one of these ad agencies (and they all do), all it takes is for one of the infected servers to rotate into view for the end user. Really nasty stuff.

This. So much this. And there are ad networks that will host anything given the right amount of money and lack of care. I sure as hell don't allow ad networks to display their crapware on any machine, no matter the architecture/OS. With adblock-plus, privacy badger, and ghostery installed on a client, third party crap gets enough of a heave-ho to make even going to places like gawker "inoffensive."

--
BMO

Re:Cyptowall is very sophisticated

Windows server 2012 does all of this still. Essentials is roughly equivalent to WHS.

Re:Cyptowall is very sophisticated

Cyptowall was recently being distributed by yahoo ads via a compromised flash ad

This is why it's a good idea to run adblockers, stuff like noscript, etc.

I have several of the more "popular" adware sites redirected to 127.0.0.1, in my hosts file, and use the NoScript plug in. What drives me crazy is the number of sites that pull in all kinds of third-party javascripts on their web pages. I may trust my bank, but who the hell knows what's in the half-dozen randomly sourced .js files they're trying to download? Fucking lazy web scripters.

Re:Cyptowall is very sophisticated

[nine-times]

The best protection is to pull your backups not push.

Or, it's a bit more expensive, but back up to a NAS/Server, and then back that up to something else. Like I back up to a NAS, which then performs backup to an external hard drive. Sure, a smart virus might figure out how to encrypt my NAS, but I can just restore that from backup. My computer doesn't have direct access to the NAS backups, so it can't encrypt them.

Re:Cyptowall is very sophisticated

Windows 7 and 8 have it built in. It does everything you were talking about. Its called 'windows backup'.

Re:Cyptowall is very sophisticated

[vux984]

The "trouble" with windows backup, is that it has read/write access to the backup store. Which means if your computer is compromised by cryptowall, cryptowall has read / write access to the back up store... so crytowall can encrypt your backup archive files/ indexes... whatever else.

Secure backup from something like this, needs to be client/server. The computer must not be able to see the backup archive files directly.

If you save the backups on a network share; using separate credentials that only the backup runs under then *maybe* you'd be safer. But I still wouldn't count on it.

Re:Cyptowall is very sophisticated

[nmr_andrew]

Exactly. I've been doing the same for more than the last decade, except using a second workstation as the backup device (as opposed to NAS).

If the backup machine is on the same LAN, I export the drive (or directories) to be backed up read-only, mount them on the backup read-only, and copy using rsync

If the machine is in a different location, I share a key pair and pull what I want backed up using rsync (over ssh) from the backup machine

This is fairly bulletproof, and in no way can anything running on the original host modify the backup, aside from possibly replacing a changed file.

Re:Cyptowall is very sophisticated

Redo Backup & Recovery is a great, open source solution for your average person.

Re:Cyptowall is very sophisticated

[antdude]

Drawer? Connect = can infect.

Re:Cyptowall is very sophisticated

Actually, CrashPlan is not vulnerable to this. We encrypt your data on the device before we transfer it, and also encrypt the transmission itself. It can only be decrypted by someone possessing both your password and 448-bit encryption key.
Because we keep unlimited versions of your files, you can always restore back to a pre-infection state.

Here's an actual customer who survived this kind of attack: http://youtu.be/ehl13FClCMg?list=PLNNOP5YfrS_mHxYBYKIyMIYJymZIMezj-

Re:Cyptowall is very sophisticated

Cyptowall is very sophisticated. It will go into online backups and encrypt them too. If you are using a common online backup it can find those and encrypt those too. The best protection against this is a usb backup in a drawer.

Cyptowall was recently being distributed by yahoo ads via a compromised flash ad http://news.yahoo.com/yahoo-ad.... You could have received it by going to your favorite news site.

LOL @ flash ads ...

Re:Cyptowall is very sophisticated

3 ways to defeat Cryptowall:

o Browse from Linux

o Boot System rescue cd and use ' ntfsclone ' to backup your NTFS drives once a week

o Store your backups on a Linux filesystem that can't be accessed from Windows

Malware

[ledow]

Most malware is surprisingly benign. I've been saying it for years.

If you wanted to get really nasty, you can do these kinds of tricks and the thing will be damn-near scary to contract.

The problem is that we've bred a generation of people who see malware as nothing more than a distraction. Who will go to "uninstall" to remove it, thinking that's to be trusted, who don't realise that something running in the background is a problem once you close the advert it pops up.

At some point, something like this is going to be combined with a handful of never-seen-before exploits and it'll go across the globe and take weeks before there are effective patches to get rid of it. But the scary part is that the first few seconds of infection are all that's needed to totally control your ability to use your computer and access your data.

Maybe then we'll get proper application whitelisting / sandboxing by default in a desktop OS. And, hell, why do applications get the run of every file I use under my account? Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why? Why is the data store not immutable and applications only get a link to the data IF they are allowed access to it? And thus nothing ever actually runs "as" the user, but only as its own separate user with similar permissions and only the files necessary.

Malware could be a lot worse than even this. Why it isn't yet, I haven't figured out - I presume because money-making is at the heart of it now rather than actually malintent with your data. But that won't last forever.

I'm sorry, but the very concept of a virus scan happening "at scheduled intervals" or after you've already double-clicked on the file just tells you that it's too late before you start. We've got away with it for decades in desktop OS, but it can't continue forever.

Getting a virus on my networks scares the crap out of me. People think I overreact when I just remote-off the machine (or tell them to pull the plug) and just re-image for even the most basic of adware. Fact is, I didn't install it and I have no idea what it ACTUALLY does. And I'll be damned if it's going to get the chance to go on my shared areas and do anything, even with file history, backups, etc. available.

Re:Malware

[Shakrai]

Maybe then we'll get proper application whitelisting / sandboxing by default in a desktop OS. And, hell, why do applications get the run of every file I use under my account? Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why?

The answer is functionality. Let's consider the example of Android, an OS with a fairly recent security model, built on top of Linux which provides for chroot. Why not put apps into their own chroot jail by default? Seems like a good idea, right? How do you explain to Grandma why she can't upload photos from her camera's image gallery to Facebook? Oh, you'll solve that problem by putting the photos in a public directory? Okay, that eliminates the functionality concern, but now you're right back where you started with exposure to ransomware....

People think I overreact when I just remote-off the machine (or tell them to pull the plug) and just re-image for even the most basic of adware.

It's not an overreaction, that's y response as well but I would have to ask you why you're getting adware in your environment? In the gigs where I've worked as in-house IT I can count the number of ad/malware infections we've had over the years on one hand. I'm fairly proactive about training my users and maintaining a solid security model. Have a decent security package, don't allow your users to be admins on their local machines, and train them in common sense steps to avoid ad/malware. That will eliminate the lion's share of infections. Conversely, when I worked in consulting it seemed like all we did was remove ad/malware; it got to the point where it was readily apparent that we were deliberately not proactive because being so would have reduced our billable hours. That's one of many reasons why I quit that job....

Re:Malware

[0123456]

For a start, an app like Facebook should only have read-only access to your photos. That still provides the opportunity to steal your naked pics and upload them all over the web, but not to delete them.

Of course, if the malware is already using exploits to install, it may also be able to use exploits to escape any such protection.

But this is now a huge problem, which needs to be fixed. The days when you could trust even supposedly legitimate software not to do bad shit with your shit are over. No software should have access to anything it doesn't need access to.

Re:Malware

[Nite_Hawk]

Malware could be a lot worse than even this. Why it isn't yet, I haven't figured out - I presume because money-making is at the heart of it now rather than actually malintent with your data. But that won't last forever.

I suspect it's because the powerful people in the world largely care little about computers, virsuses, downtime, etc. To them it's all just mysterious technical mumbo jumbo that is of little interest to them. Extortion is a little more clear though. Someone is trying to fuck them, and that tends to get people riled up. Riling up folks like us is one thing, but statistically speaking sooner or later malware like this will inadvertantly fuck someone who's capable of things like armed abduction, torture, and death. You have to have a lot of faith in the anononimity of bit torrent that you won't be found by one of these kinds of people.

Re:Malware

[Nite_Hawk]

bit torrent

And it's too early in the morning before my coffee. s/bit torrent/bitcoin

Re:Malware

[FireFury03]

And, hell, why do applications get the run of every file I use under my account? Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why?

Because anything else would require popping up numerous "would you like to allow this application to do $foo" boxes, and then you end up training the user to just hit "yes" on everything because it's too damned annoying to make a decision every time when the vast vast majority of access requests really are legitimate.

Sandboxing based on applications making their own decisions and being relatively trustworthy might not be a bad plan though - i.e. if your web browser has an immutable list of files it needs access to, and you trust your web browser, that provides some level of protection when some malware compromises the browser, so long as the immutable list really is immutable and the malware can't modify it.

I'm sorry, but the very concept of a virus scan happening "at scheduled intervals" or after you've already double-clicked on the file just tells you that it's too late before you start.

Well no, if you can roll back everything that happened between the "all clear" scan and the "you've been cracked" scan then that's certainly much better than nothing.

Fact is, I didn't install it and I have no idea what it ACTUALLY does.

You don't know what most software ACTUALLY does, even if you did install it - most software people use is closed source, but even the open source is a black box unless you actually audit it.

Re:Malware

[Shakrai]

For a start, an app like Facebook should only have read-only access to your photos.

What if I want to save photos posted by a friend to my device? Now Facebook needs write access to the file structure. Do you propose having multiple directory structures and chroot jails for something as simple as photos? With nothing being able to access / except for the OS?

No software should have access to anything it doesn't need access to.

I agree with you in principle but I'm playing devil's advocate to try and illustrate the point that it's not as cut and dry as we would like it to be. I used the example of Android because it's an OS that was created by intelligent people in the day and age where these threats are well known. It also has the theoretical advantage of being an OS where apps don't typically have to interact with the data stored by other apps (the obvious exception is photos), which should make it easier to chroot them, but as soon as you drill down into the nuts and bolts you realize that doing so would eliminate all manner of useful functionality.

Keep in mind your end user target audience too. How hard was it for Microsoft to get the MSCE crowd used to user account control? UAC was not a new concept but the introduction of it into the Microsoft world threw many of their most knowledgeable users into a confused tailspin. It was even worse for the end/home users without technical backgrounds. Now imagine the headache of trying to introduce chroot'ing into a consumer grade OS and making it the default behavior for applications. Want to import that chart from Excel into Word? Here's a UAC-like pop-up asking for permission. Need to insert that clip art you just downloaded in your browser into your PowerPoint presentation? Here's another UAC-like pop-up asking for permission. Do you see the problem?

Re:Malware

[jythie]

Why can we not get proper white listing or sandboxing? Look what happens when companies try to move that direction. Both Microsoft and Apple got hell for it every time they tried and ended up backing off. Chome and Mozzila are encountering similar problems as attempts break plug ins or websites that people use.

Security issues are generally rare occurrences, while functionality one uses daily are immediately visible and annoying. Even within unix systems we see a constant push/pull between security and convenience. How many nerdy users are actually running SELinux and paying attention to the policies? A good chunk of the time, all but the most paranoid users will just allow anything that it takes to get their stuff running, all all that sudo abuse is not exactly helping.

For that matter, look at what has happened to sudo over the last few years. Long gone is the usage of giving specific accounts access to specific commands, it is just used as one giant whitelist where any user can play root.

Re:Malware

[0123456]

What if I want to save photos posted by a friend to my device?

Then you can click a box saying 'yes, I really want to let this app save this file to this location'. Does the Facebook app even let you save other people's pictures?

Alternatively, you can have a 'downloads' directory for the Facebook app, and map it into a 'photos' virtual directory so every app with access to the photos can see those downloaded from Facebook, but Facebook can't overwrite photos from any other app.

Yes, people might have to learn not to save random files in random places, or put them all on their desktop.

Re:Malware

[Shakrai]

Then you can click a box saying 'yes, I really want to let this app save this file to this location'.

So you're going to use an annoying UAC-like pop-up that will rapidly be ignored by 99.9% of the population because it appears so often as to be nearly useless?

Does the Facebook app even let you save other people's pictures?

Yes it does, but that's beside the point. Don't get hung-up on the particular example of Facebook, I only used it because it's an app used by the mainstream that needs access to the file structure for legitimate purposes. There are countless others, big and small, and if you're serious about this idea you're going to have to take them all into account and find a way to do it that isn't overly annoying or cumbersome to non-technical end users. Smarter people than either one of us have tried and failed to solve this problem....

Re:Malware

[Whorhay]

I don't see why you can't do more refined access than just granting everything to every program. Especially with the massive amounts of storage space and memory tha computers have today. Sandbox every application allowing it to only have full control over it's own little sandbox. If a program needs to look at stuff in other file structures then give it read access, not full control, to those directories. You want it to be able to write to files in those other directories, fine, it reads in a file it isn't allowed to overwrite or change, and then saves it's own copy that it can molest in whatever way it wants.

Re:Malware

[CreatureComfort]

people might have to learn

Oh. I see your problem right there.

Re:Malware

[mrchaotica]

Why is the data store not immutable and applications only get a link to the data IF they are allowed access to it?

Because then somebody has to tell the computer which applications are allowed to access which data, and normal users can't be bothered.

You know that we have such functionality now, right? All you have to do is use something like SELinux and set up the ACLs. But I doubt that even most people as security-conscious as you have actually spent the effort to use it.

Malware could be a lot worse than even this. Why it isn't yet, I haven't figured out - I presume because money-making is at the heart of it now rather than actually malintent with your data. But that won't last forever.

Most malware isn't "all that bad" for the same reason most diseases aren't like Ebola: if you kill the host too quickly, or provoke a strong anti-disease response, it's harder to spread.

Re:Malware

Malware could be a lot worse than even this. Why it isn't yet, I haven't figured out - I presume because money-making is at the heart of it now rather than actually malintent with your data. But that won't last forever.

I suspect it's because the powerful people in the world largely care little about computers, virsuses, downtime, etc. To them it's all just mysterious technical mumbo jumbo that is of little interest to them. Extortion is a little more clear though. Someone is trying to fuck them, and that tends to get people riled up. Riling up folks like us is one thing, but statistically speaking sooner or later malware like this will inadvertantly fuck someone who's capable of things like armed abduction, torture, and death. You have to have a lot of faith in the anononimity of bit torrent that you won't be found by one of these kinds of people.

"Oh, you're with the mob? So sorry, we will of course provide the keys for no charge. Professional courtesy. Have a pleasant evening."

Re:Malware

[mlts]

The biggest problem we have is that businesses have moved to SAN and cloud backups. Yes, that VNX replicating asynchronously with constant snapshots is a great way to handle "natural" dangers... but it doesn't take much to drop and zero out all LUNs presented to all machines, and the replication client will just propagate the changes. Same with a tier 2 NAS like a NetApp box or an Isilon. Even with cloud backups, it doesn't take much time to drop a vault or a container.

There just isn't any thought put into "what happens if the bad guy gains control of the core SAN."

I feel old fashioned advocating tapes, but a set of tapes sitting in a safe, in a sealed tub at an offsite warehouse, or just in a silo are far more resistant to a mass wipe than anything else out there.

As the parent said, we need some granularity that doesn't allow an application full access to a user's context. There are existing mechanisms in place, like SELinux, AppArmor, and others, but those are generally used for server programs, as opposed to desktop applications like web browsers, Office suites, and other day to day tools.

We have been on this merry-go-round before. Back in the days of PC viruses, there was a time when most were benign, but then there was a race towards the end to see who could trash the most, be it frying multisync monitors, wiping firmware on the BIOS or devices, and many other things. When viruses were passive, people really didn't care, but as soon as people had physical hardware damage, the days of passing random executables stopped, and people went for clean download sites.

These days, malware injected via a Web browser isn't too tough to defeat... AdBlock does far more to keep a machine clean than almost any AV program. Click to play helps as well, and finally running the browser in a VM or a sandbox is the final backstop. It looks like even the malware writers fear stuff like sandboxie due to the checks for it, so it would be a must have.

Re:Malware

You don't need to trace them through BitTorrent - follow the money... The banks would be of GREAT assistance, if they wanted to be.

I don't know who you are. I don't know what you want. If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills, skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my files go now, that'll be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you, I will find you, and I will kill you.

Re:Malware

[Orestesx]

Of course, the replication/snapshots are great for recovering for certain types of disasters, but they shouldn't replace tape backups...that's simply an extension of the old "RAID is not a backup." Do you actually work at a shop that only does replication and no actual tape backups, or have your heard of such a business? If so, please let me know so that can make sure that I'm not affiliated with them in any way.

Re:Malware

[mlts]

What about a photos directory in the FB app structure? If someone wants to upload a photo of their cat, just dragging and dropping it into that, then firing up FB to upload that isn't that much of a hindrance... and it will boost security by a large amount. Same with dropping a file into a subdirectory of a mail program, so the MUA doesn't have the ability to send attachments of every document present.

Yes, it is one extra step, but it would help a lot with security.

Re:Malware

[FireFury03]

If a program needs to look at stuff in other file structures then give it read access

Great! $malware got read access to your bank details.

You want it to be able to write to files in those other directories, fine, it reads in a file it isn't allowed to overwrite or change, and then saves it's own copy that it can molest in whatever way it wants.

So now instead of having a single copy of the file, you have a separate copy saved by each application that has been used to process it - creating a mountain of almost-identical files that the user has to keep track of is not a user friendly way of doing things.

Better is to have a versioned filesystem - each time a file is changed (by any application!) the delta is saved and the filesystem keeps the old data hidden away. Most of the time everything behaves as normal - you have one copy of a file, no matter how many times it is edited. If you need to roll back some changes then you just ask to see previous versions of that file, much like a source control system. And indeed, there are a number of file systems that do exactly this - if you care about such things there's nothing stopping you doing it.

It doesn't stop malware reading your files or modifying them, but it does mean you can recover the unmodified versions... but then doing backups (which everyone should be doing anyway) gives you similar protection.

Re:Malware

[mlts]

You would be surprised. There are a lot of places out there that consider an EMC Avamar with replication to a hot site the final answer for backups. For most things, this is good enough.

The problem is that for all but human-caused disasters, RAID and hard drives are seductive, especially tier 2 NAS items like Isilons or NetApps where adding more space is quite easy (as opposed to tier 1 SANs where one has to add new logical drives or expand existing ones). Stash data there, it gets deduped, when it gets near full, add a node, drawer, or more drives.

Of course, as stated above, RAID works well... but it isn't a backup. There are some items which -can- help like the SmartLock functionality on Isilons, which keeps data even if someone logs on as root and does an "rm -rf /ifs/data".

As for tape, a lot of installations have moved to VTLs. Of course, the same issue applies to this. As a bad guy, they can log on as the SAN admin, dump the filesystem that is presented as the libraries and tapes, then call it a day.

It would be nice to see a renaissance in tapes (perhaps a slower LTO-6 spec that can handle USB 3 speeds) just because they are the best way to back up data, even against malicious intervention, bar none. A set of cartridges in a tape safe is as secure as data is going to get from malware, especially if the tapes are set to be read only.

Re:Malware

Damaging systems is a shortcut to failure. You want malware to spread and be controllable. This means you do it for the LOLs, the l337 status, spyware for further account compromisations or ransom-ware. The latter two are what we're seeing every day across many platforms, particularly those running Linux on consumer NAS boxen. We're even at the point where this stuff can break out of VMs, which I find particularly scary. Not so much the possibility or security agencies have backdoors in commercial OSes to do so, but it's now down to point-n-click if you have the right bitcoins.

Re:Malware

[Shakrai]

The fact that you can move files between the directory structures means there's SOMETHING (a file manager in Android, Explorer in Windows, a shell of some sort in Linux) that has access to the root file system. What will you do when malware starts to target that as an infection vector?

There's also the training burden that's going to come with teaching people (many of whom do not even know what a file or directory is) how to use such a system. For the same amount of hassle you could instruct them in the necessary steps to avoid getting infected in the first place. I would submit that you've lost the battle as soon as the ad/mal/randomware is installed on one of your devices regardless of how good or bad your underlying security model is.

Re:Malware

For a start, an app like Facebook should only have read-only access to your photos.

What if I want to save photos posted by a friend to my device? Now Facebook needs write access to the file structure. Do you propose having multiple directory structures and chroot jails for something as simple as photos? With nothing being able to access / except for the OS?

Why not give individual programs their own Unix-like account? So Facebook can write to some files in the directory, but it only has read access to files owned by another program?

Re:Malware

[0123456]

So you're going to use an annoying UAC-like pop-up that will rapidly be ignored by 99.9% of the population because it appears so often as to be nearly useless?

UAC is useless, because all it tells you is 'Do you want to allow Hello Kitty screensaver to: write to hard disk'. That's it. May be perfectly legitimate, may not. You have absolutely no way of telling what it's actually doing, so clicking 'no' is pointless.

Whereas if the Facebook app starts asking to write to protected parts of the disk when you're not saving anything, you know something is wrong.

Re:Malware

[0123456]

For the same amount of hassle you could instruct them in the necessary steps to avoid getting infected in the first place.

So, telling them 'no, you can't install Flash to view that Christmas card Auntie Mary sent you' is going to be easy, but telling them not to click yes when 'Foobook app wants to write to /etc/hosts' isn't?

Re:Malware

[0123456]

Better is to have a versioned filesystem - each time a file is changed (by any application!) the delta is saved and the filesystem keeps the old data hidden away.

It's fortunate that disks are infinitely large, so the malware can't just overwrite the files multiple times until the filesystem deletes the plaintext versions.

Re: Malware

wtf does bitcoin even have to do with this?

Re:Malware

[iluvcapra]

What if I want to save photos posted by a friend to my device?

On later versions of Mac OS X with entitlements, when you get a "Save File" dialogue, the window itself is running in a separate process from the app that called it and communicates with the client over IPC, so the client never actually is able to see the filesystem. When the user picks a save location, the window process hands an NSURL object back to the client, but this NSURL doesn't actually contain a valid

file:///

url, it contains a persistent token allowing the recipient access to the one location, and the URL loading system (in the system's process domain) does the job of translating. The client can use the URL object as if it were an actual path to a local file or directory, but it can't actually split it into folder components, or jump up a level and walk directories, or anything else.

This is a way of doing it, it breaks other things you might want to do, like if you were writing an app that indexed files, but it works for a lot of the simple situations you describe. On iOS "photos" are a special case themselves and interacting with the photo management system is all handled with IPC over interfaces that are filesystem-ignorant; data sharing between iOS apps can only happen with predefined datatypes and through code interfaces, not the filesystem. It works, at the cost of keeping the actual filesystem sorta mysterious, but the filesystem on a cellphone should just be an implementation detail.

Re:Malware

[CaptainDork]

I am interested in this because I just recently opted out of LTO tape backup for external USB hard drives. For 19 years, I have changed out the tapes/drives myself and took them home with me every day excluding holidays and stuff.

When the fire alarm goes off, I grab the backups and run. When we evac for hurricanes, I grab the backups and run.

Obviously, this scheme doesn't protect the Firm directly from something like CryptoWall 2.0, but I switched to external USB drives for one main reason:

Should the building pancake or should the sprinklers go off (inject disaster here), with LTO, I'd have to purchase a compatible drive before getting started on restoring.

I did, back when Moby Dick was a minnow, have to do a disaster recovery with pre-LTO tapes and the new drive and old tape were not quite in synchronicity and I had to buy a surplus tape drive to get things back up.

Just addressing the LTO/USB drive (with daily offsite): Do you see a problem with that?

Thank you.

Re:Malware

[johanwanderer]

don't allow your users to be admins on their local machines,

Ding ding ding ding ding... whenever anyone came to me for malware-related help with Windows, I make sure that they no longer have admin privileges before I let them back in. Create a separated local admin account for them if necessary, but their everyday web-surfing and mail-reading account should not need admin privileges.

Re:Malware

[cras]

Maybe then we'll get proper application whitelisting / sandboxing by default in a desktop OS. And, hell, why do applications get the run of every file I use under my account? Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why?

The answer is functionality. Let's consider the example of Android, an OS with a fairly recent security model, built on top of Linux which provides for chroot. Why not put apps into their own chroot jail by default? Seems like a good idea, right? How do you explain to Grandma why she can't upload photos from her camera's image gallery to Facebook? Oh, you'll solve that problem by putting the photos in a public directory? Okay, that eliminates the functionality concern, but now you're right back where you started with exposure to ransomware....

Not necessarily. This can be solved by having a standard privileged file open/save dialog that grants the access automatically to apps based on user input. Of course that limits the UI designs in some ways.. I wrote some ideas 11 years ago how something like this could be done. Partially obsolete nowadays though but still could be doable (except for the web browser parts - web security seems to be a lost cause already). Perhaps once these kind of worse malwares start happening people would finally implement a more secure desktop. There's no reason why I shouldn't be able to easily run whatever program I want without it breaking my computer.

Re:Malware

[mlts]

The days of tapes not being in sync (as in the Travan era) is long since gone. LTO tapes are quite stable, even moreso than DLT, and a lot better than 8mm or 4mm when it comes to hard errors. Tape got a bad name back in the 1990s when 8mm drives were common and had a fairly high failure rate, mainly because it was designed as a video format, not for data.

Both external USB hard drives and tape have advantages and disadvantages. With tape, I can set the cartridge read only, and if there is malware on the machine I'm restoring to, the tape will not be affected. On the other hand, USB drives could get easily nuked, especially if they are encrypted [1].

Tape has its place. If some company could make a decently reliable tape drive for around a grand, they would make a lot of money. The days of the 8mm and 4mm horror stories are over two decades behind us, and as threats like malware grow that are set up to nail backups, having a tape drive that can do WORM in hardware can save a business.

[1]: Encryption goes without saying on removable media. However, with encryption comes easier data loss. A format on BitLocker encrypted media will overwrite the areas on the drive holding the volume keys, pretty much ensuring the data won't be able to be decrypted.

Re:Malware

[nbritton]

Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why? Why is the data store not immutable and applications only get a link to the data IF they are allowed access to it?

i.e. SELinux

Re:Malware

I don't know who you are. I don't know what you want. If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills, skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you decrypt my data now, that'll be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you, I will find you, and I will kill you.

Re:Malware

This is was happens in Neal Stephenson's Reamde. I'd recommend it.

Avoid x86 hardware.

I shall stay on my quad G5 under Linux or the time being. The market is too small for them to try to attack my machine.
Why didn't people realize that a single monoculture of CPU architecture (x86 in this case) would simplify the job of these guys. I've been clamoring against x86 monoculure ever since Apple became just another resale channel for Wintel clone hardware.
Monoculture is bad, it has always been bad and will always be.

Re:Avoid x86 hardware.

[jythie]

Not sure why this got modded so badly, the AC makes a good point. though it is becoming less of one over the years.

CPU monoculures did make attacks easier, and it is a shame alternatives are getting further and further out of the reach of the average (in terms of pocketbook) users. On the other hand, increasingly attacks do not depend on the underlying hardware and instead the layers on top of it, which depends on having a whole different stack all the way up and down in order to stop them.

In the end though, 'sheep buffers' are not really a solution. They can help a small number of people, which in our cult of individual culture is appealing to many, but it does not really address the systemic issue.

Another good reason to:

- Disable, or at least require permission, for Flash
- Backup your backup to an offline, offsite location.

Not running Windows as the answer is not an option for most of us.
This seems like it could be a much larger threat to businesses than individuals.
But the 32/64 bit detection seems trivial. Why was it even mentioned? Makes me question the seriousness of the whole thing.
I'm assuming cloud based backup solutions can't be accessed by it, is that true?

Re:Another good reason to:

[mlts]

Another lesson is to use virtual machines when possible. An infected VM is a lot less of a hassle to deal with than an infected physical box, especially if snapshots are used [1].

For personal use, I wonder about moving to a NAS and two ESXi nodes. Browsing using RDP is just as fast as a local Web browser, and if configured right, none of the stuff in the VMs would have access to the NAS itself, which helps isolate damage to just that VM itself. As for "real" backups, plugging an external drive to the NAS, copying the VMs after suspending them, and unmounting the external drive should do the trick.

[1]: Snapshots are not backups, but they do have their place.

Cyptowall is very sophisticated

The best protection is to pull your backups not push. You have whatever is performing you backups connect into the machine, and then pull the backups, not having your machine being backed up connecting to the destination and pushing. That way, the machine can be compromised but it has no clue that it's even being backed up (since it's simply a share that's being used.) When you use a usb drive, you'll be safe, until someone plugs it into that machine not knowing that as soon as they do, it will begin encrypting what's accessible on that usb drive. I aways try to backup from outside of the context of what is being backed up. If it's a VM, I backup from the host, not from inside of the VM I need the data from. If it's a storage end point, I don't back up the files, I snapshot the volumes.

It isn't always possible to do it that way, but doing it that way has saved my backside more than a few times.

Re:Malware preventative measure

[Technician]

In reading TFA, a prevention may be to add the Tor list into your hosts file so it cant download a Tor client to continue. Add the list into your router blacklist can be out of reach of the malware to bypass the block.

In the arms race this is effective on the current version. An update may have a new list of Tor download locations.

Not sure if blocking TOR at the router is possible or effective.

So how are these spread?

[gstoddart]

How is this crap spread?

Can I laugh at the people who have Flash enabled and let arbitrary sites run javascript? Or does this spread through some other vectors I don't know about?

I suspect the problem is the idiots who write websites, who demand your browser run in the most insecure possible configuration so you can see their ads and other shit they've hidden behind code which needs to run on your browser.

And I've always said I'm not willing to run my browser wide open just to make web sites work, because these things have been security holes for years.

Browsers need to be a whole lot less trusting, and not default to just running any old thing which comes along. And certainly stop trusting scripts from 3rd parties and running whatever crap pile of Flash comes along.

Unfortunately, users are used to seeing pages which give you detailed directions for re-enabling javascript and cookies.

So to all you web developers out there who have ever written that page ... fuck you, you slimy bastard. It's partly your fault the internet is a shit hole.

Re:So how are these spread?

[njnnja]

Although developers encourage this kind of thing by using flash and requiring javascript to display content, there is plenty of blame for users too. Heaven forbid a page might refresh! Users are demanding that websites look and feel like native applications, and the way to do that is to run things client side, like a native application does. Users want shiny shiny, regardless of the problems it causes.

Re:So how are these spread?

Is this you home computer? If you work for someone it can't be of a sizable user base. Try turning all that stuff off with about 200+ employees. I'd never get off the phone and trust me they never "get it".

Re:So how are these spread?

You must be a web dev too. Anyone with real networking experience will know IP address range and port scanning can be done on anything connected to the Net - anything, including your fucking fridge.

Flash is a simple vector, blame Macromedia/Adobe for its flaws, and Oracle/Sun for the Java-fsck-fest. MS are the biggest culprits, though. For several decades they've had broken OSes that allow trivial privilege escalation that was pretty much fixed in the 1970s.

Re:So how are these spread?

[kriston]

In a case I was recently troubleshooting, the vector was an advertisement popup that asked the user to click to download and install an Adobe Flash Player update.

The user downloads it and runs it. Then it runs quietly in the background with the same privileges as the current user.

I feel the need to reiterate here that Cryptowall does NOT require privilege escalation. If you happen to be a local administrator it will ask for it so it is able to delete shadow copies and Restore Points, but it does not need any extra privileges to encrypt your data and thus accomplish most of its aims.

Re: So how are these spread?

two routes, whitelist or blacklist. blacklist is probably the way to go. whitelist if you want to lock them down more.

Re:Malware preventative measure

In reading TFA, having an executable called VBoxService.exe or vmtoolsd.exe seems like a sure fire way to have it skip right over you, as it thinks you're running inside a VM.

Use it's cleverness against it

Do all your surfing on a VM. It will detect that it's running in a VM and do nothing.

One more reason to get away from Windows

[Guybrush_T]

Using windows is currently a real nightmare for the average guy. Most of the computers of un-computer-educated people I know are full of malware and adware.

At some point it was seen as a fatality. iOS and Android just showed people that it was not. That's why Microsoft Windows is (finally) dying. Ransomware may be the thing that will decide people to finally switch to something else.

And maybe 2015 will be the year of linux on the desktop :-)

Re:One more reason to get away from Windows

And as soon as something else is a 900 pound gorilla people will attach it. Windows may be an easy target for now, but once you take that away people will just find other ways.

Re:One more reason to get away from Windows

[Opportunist]

Crypto$shit isn't something that can only run on Windows. The main reason why Windows is being attacked is the same why the most software is made for it: Its market share. If Linux had a market share of 90% (or however ludicrously high the share of that system still is), Linux would be the target. For exactly the same reason: It's where the money is. Why bother trying to infect 5% of the computers when you can go and try to infect 90% thereof?

Next, they abuse the flaw in a third party product, something MS cannot even mitigate if they wanted. If you want to be mad at someone, be mad at Adobe, they're the one that produced that abominable turdfest called Flash. You think Flash is any more secure on Linux than it is on Windows? Think again. Why would Adobe put more brainpower behind the security of their A-league product on a minor platform than they do for the main platform?

Better security in Linux, you say? Tighter control of permissions? Bzzzzt, nope, doesn't apply. What makes Crypto$shit so dangerous is exactly that it does not need any kind of elevated permissions. It does not want to touch any "system" areas, all it does is execute in the user context and encrypt files in the user's directory. That is something you can do on Linux with the permissions of the current user just as well as you can do it in Windows.

And yes, I'm aware of the various "hardening" strategies that you can employ to make such an attack harder on Linux. ALL of them work as well on Windows. Ok, maybe not in every version of Windows because MS in their never ending wisdom thought security is for Enterprises only, hence the key security features are not available in their Home editions... but even for the "Homes" there is a way to do it. Very inconvenient and quite tricky to pull off, just like most would be in a Linux environment. Yes, it's possible. No, it ain't something Joe Randomsurfer would or even could do.

So no. This time the "Windows sux" club does not strike. I wish for the best and I hope for less market share for that Moloch too, but this time they are not the ones to blame. If anyone is, try Adobe and them STILL NOT getting a grip on Flash security.

It ain't like this is the first time that turd has been the attack vector, ya know...

Re:One more reason to get away from Windows

[Guybrush_T]

Well, after reading the article again, indeed that could work on Linux. I thought there were windows vulnerabilities in the mix, but it turns out I read that wrong.

That said, I think that malware/adware is a major attack vector. And Linux/Android/iOS do not fear adware because applications are reviewed and controlled. Of course, you can always have a vulnerability in the Linux packages / Android Apps, but it makes things much harder and especially for the average guy's PC.

But true, for that special case, linux could as well be a target.

Re:One more reason to get away from Windows

Well, it's a Trojan horse, and if I read this correctly, is one where the user has to actively run it... the OS used doesn't fix brain bugs.

Scary are the security problems which are more invisible to the user.

Re: One more reason to get away from Windows

it could be a target, but it's not ;)

Re:One more reason to get away from Windows

It does not want to touch any "system" areas, all it does is execute in the user context and encrypt files in the user's directory. That is something you can do on Linux with the permissions of the current user just as well as you can do it in Windows.

SELinux aside (which can make the above a lot harder), judicious use of non-user accounts and setuid bits on the applications can make encrypting a file as the current user impossible, unless the current user is running an encryption program which runs (via setuid) as the owner of the file. Hardly anyone makes good use of Linux/Unix's permissions structure (let alone what's possible with SELinux).

Hell, even just using chattr(1) to make a file immutable or append-only would prevent this.

Re:One more reason to get away from Windows

The main reason why Windows is being attacked is the same why the most software is made for it: Its market share. If Linux had a market share of 90% (or however ludicrously high the share of that system still is), Linux would be the target.

Error: this malware only supports systemd/linux

Re:One more reason to get away from Windows

Being a member of an undesirable minority is no bad thing, of course it would be very easy to deploy such a piece of malware to hit linux systems, a bit of social engineering and it could be integrated with popular software on a PPA(stupid question, but do scripts within deb files execute with root privileges?), or even some crapware on steam, but anyway, just because it's possible to attack linux doesn't mean they'll bother doing so for the time being, so being a beardy hermit with no friends is at least safer than running windows.

Re:One more reason to get away from Windows

[Opportunist]

You may rest assured that Adobe does indeed review its software before releasing it, just that security takes a back seat to feature creep and "ohh shiny". That's just as true for Android and iOS soft. Or do you think Google or Apple does a through security audit for every kind of software in their store?

Re:One more reason to get away from Windows

[rdnetto]

Better security in Linux, you say? Tighter control of permissions? Bzzzzt, nope, doesn't apply. What makes Crypto$shit so dangerous is exactly that it does not need any kind of elevated permissions. It does not want to touch any "system" areas, all it does is execute in the user context and encrypt files in the user's directory. That is something you can do on Linux with the permissions of the current user just as well as you can do it in Windows.

Btrfs snapshots would have defended against this sort of attack effectively - they provide incremental backups that can only be deleted by root. It's trivially easy to setup a cron job to perform a daily snapshot of /home - I did so a while back and just found I'd accumulated a years' worth of snapshots. Admittedly, this isn't something the average user would have set up, but given that there are already distros which automatically snapshot the root fs before installing updates, it's not a huge stretch to say it could be added to a noob-friendly distro.

While Windows does have various mechanisms for creating backups, I'm not aware of anything equivalent to btrfs on it (incremental backups, takes less than a second to create the backup/snapshot).

Backup, backup, backup

Having a proper backup solution installed and running would protect you from this type of exploit as you could simply restore from backup.

Re:Backup, backup, backup

[jythie]

Part of the problem is that the software is getting clever enough to detect backups and goes after them too. Putting in a pull backup can help, but is more complex and costly, not to mention another vector that the writers could potentially take advantage of anyway.

It is a pity tape has become so expensive since that was a great way to handle offline backups in a very user friendly way.

Re:Backup, backup, backup

Tape is cheap!! I paid $49 for a LTO-3 tape drive and an Adaptec PCI-e scsi card. LTO-3 tapes are running $10 a piece. Plug a tape in before I go to work, take it out when I get home. I loved to see how CryptoWall would encrypt a tape sitting in my desk. People used to laugh a me for using tapes, now not so much

Re:Backup, backup, backup

[jythie]

Yeah, but the drives are really pricey, esp since most consumers tend to want things new rather than second hand.

How to prevent it from ruining my backups

[hackertourist]

My backups are done on a USB harddisk that's connected to the media server on my home network. Switch the HD on, and it'll appear and backups can be made.

How can I prevent malware from changing my backups? Would it be possible/effective to mount the drive as write-only, making it impossible to change existing files?

Re:How to prevent it from ruining my backups

[crunchy_one]

Would it be possible/effective to mount the drive as write-only, making it impossible to change existing files?

Given the type of backup you are perform (a "push"), there is nothing you can do to prevent an active infection from destroying your backups while the HD is mounted. In theory, a backup to a blind drop may provide some protection, but there is no backup solution that I am aware of that will work without read access to at least its own metadata. Perhaps a developer opportunity?

Re:How to prevent it from ruining my backups

How can I prevent malware from changing my backups?

By having backups on storage devices that malware can never access (ie: storage devices that are never directly attached to a potentially compromised machine). Use a second machine (aka: backup server) that pulls files (via SCP or whatnot) from the source machine. Never perform activities on the backup server that could lead to it becoming compromised with malware.

Re:How to prevent it from ruining my backups

Once a machine is compromised, you can't control what that machine does - there may not be any way to extract valid data from it. (Imagine, for example that instead of ransomware, it was a directly destructive payload.)

A secondary trusted machine may be able to analyze the backups and detect some forms of tampering.

Re:How to prevent it from ruining my backups

[rHBa]

As mentioned above, you need a PULL backup solution so the back-up is done by a remote server logging into your machine and taking copies of the files that need to be backed up rather then your machine connecting to a remote server and sending the files. That way your computer has no knowledge of where its backups are stored so cryptowall won't be able to find them either.

In a Linux or Mac environment this would be simple to set up with common tools, You could write a sample BASH script that runs daily on the remote backup server, using SSHFS to mount the target computer's file system and then use backup2l to make incremental backups of the appropriate directories which are saved on the backup file system.

This should work for Windows clients as well but you'd have to install an ssh daemon on the machine or use unencrypted Telnet.

Re:How to prevent it from ruining my backups

Backup tapes that spin in only one direction?

Re:How to prevent it from ruining my backups

NICs since at least 2012 have FW loaded at OS boot (probably longer, but I stopped following this a while ago), that FW can contain malware. The theoretic exploit was first published in the early 1990s for my security level, so it probably existed well before then; but network cards hadn't fallen for the win-modem cost cutting manufacturing exercise generally, so it wasn't an issue. Today, though, they all seem to do it.

Re:How to prevent it from ruining my backups

[Rashdot]

I believe that they leave executable files alone, so maybe it's as simple as adding ".exe" to all your backup files? And removing any double ".exe" strings when retrieving?

Fake the VM

[L.+J.+Beauregard]

It's detecting the guest services, rather than the VM as such. VirtualBox at least will be no defense unless you run the guest services. OTOH, a fake guest service should defeat Cryptowall. Create a service named "VBoxService.exe" or "vmtoolsd.exe" which does nothing.

Re:Fake the VM

[Whorhay]

Virtual Box is still a form of defense because you've hopefully got snapshots of the system state and in the event that the malware does execute, you can just restore your snapshot. That is so long as you are using a virtual machine and it is the VM that ends up infected with the malware.

Re:Fake the VM

[Knightman]

In other words:
copy notepad.exe VBoxService.exe
Add VBoxService.exe to your autostart folder.

1 minute fix to mitigate the risk a bit.

Re:Fake the VM

[Opportunist]

I was thinking along those lines. If it protects itself by refusing to run in certain environments, maybe we could protect ourselves by giving it the idea that it does.

Re:Fake the VM

Malware can now break out of VMs. Whether it's down to buggy code or deliberate obfuscated bug (added as backdoors for national security agencies), doesn't matter. The exploits and known and in use, even to point and click bot controllers.

Re:Fake the VM

You sir are a mastermind! In all the years of writing code (including services) it never occurred to me that create a dummy service that doesn't actually do anything but sleep. I'd want a real service rather than an auto-started EXE just in case V3 of the malware decides to take that extra step of enumerating Win32_Service rather than string comparing process names.

Re:Fake the VM

[paj1234]

That has been discussed in the comments of the original article. Apparently that idea won't work.

Versioning

[jd142]

A lot of people have been talking about backups and the fact that even your backups can be compromised. And that's true. The solution is versioning and rotation. If I'm compromised today, the files on Crashplan will be uploaded as encrypted files. But since they have versioning, I can go back 30 days or so and get the older versions. I may lose some data depending on how long I've been infected, but I'll be able to get some data back. The only other solution is to run a daily/weekly/monthly backup scheme that keeps your monthly backups for a year (or longer if you are really paranoid). It means you need 5 separate disks for each week and then another 12 for each month, which most people aren't going to want to do. Eventually the ransomware people will get patient and encrypt your files but allow access for 3-6 months before telling you.

Re:Versioning

[Pichu0102]

This works until you realize the ransomware could go into your Crashplan settings and turn off versioning and keeping deleted files.

Re:Versioning

[error_logic]

Unless it requires two-factor confirmation to change settings, like a verification code sent by text message.

Re: Versioning

[iluvcapra]

How are they going to authenticate to modify my cloud backup services, without my passwords?

I mean, in theory, once Cryptowall hits my machine, they could send 100 ninjas to destroy all of my DLTs...

Re:Versioning

[phorm]

Yeah, I don't change stuff *that* much, but I'd probably be pissed if something got into my media library - with years worth of music, documents, etc - or my code repository.
I dump important stuff to my server, which I only mount on demand. *IF* something managed to kill files while the mountpoint was active, most stuff could be recovered from the monthly rsync to a removable drive, or for the code repository, files that are kept on an external host.

Re: Versioning

[Pichu0102]

I can confirm it does not.

Re: Versioning

[Pichu0102]

In theory, it could stop the Crashplan service, manually edit your backup set settings to have no versioning, and no deleted file keeping, restart the Crashplan service, and let it run through and prune all the files it thinks it should be pruning, then encrypt your files, let it back them up, and Crashplan dutifully prunes the old versions like the hijacked config file says to.

Re:Versioning

[CaptainDork]

This.

I change take the backup media every day and take it home with me. At one site, I have thirty (3) external USB drives.

At another, I can only keep two weeks of daily backup to take offsite. It's a law firm and I have schooled them that we are not bound by law to retain lots of stuff, but we are bound by law to give up anything we have.

Re:Versioning

[chispito]

Eventually the ransomware people will get patient and encrypt your files but allow access for 3-6 months before telling you.

That isn't quite how this ransomware works. It isn't encrypting and decrypting your files on the fly, it encrypts your files so you can't use them. What you're suggesting is much more complex and opens up many more opportunities for defeating the malware--for instance, the decryption key would have to be stored on the infected machine.

"True" virtualization

[davidwr]

There is a place in research labs for "true" virtualization/emulation, where a particular hardware environment is virtualized/emulated right down to the timing characteristics of the hardware it's pretending to be.

Obviously you can't do this with stock hardware - you'll probably have to use supercomputer-type hardware and do large chunks of it in an emulator but in principle and maybe in practice we should able to emulate at least a few mid-2000s motherboard/CPU/typical-other-hardware setups well enough to fool any software running on them.

The hard part will be doing all of the timing right while running the emulated clock at real-time speed rather than some slowed-down or other fake-time speed. If the timing isn't precisely right, when the evil software connects to its C&C and checks the "real world clock" it will know something is fishy if the emulation environment's clock isn't running at real time.

Re:"True" virtualization

[leaen]

There is a place in research labs for "true" virtualization/emulation, where a particular hardware environment is virtualized/emulated right down to the timing characteristics of the hardware it's pretending to be.

But randsomware authors are not interested at that. As in previous story they do price gouging how much you are willing to pay. As they won't get penny from vm they do not bother with these.

Corrupted backups can be rescued

[davidwr]

Assuming a Windows shop with a Windows server holding the online backups, the worst that any client-side app can do is corrupt the current version of the networked backup. It can't delete the shadow copies. Oh, I suppose it could try to fill up the disk so the earlier non-corrupted shadow copies get purged, but it can't outright delete them unless it infects the server first (or otherwise gets admin access to the server).

It also can't touch existing tape or other offline sever backups from an infected desktop/laptop.

In other words, if the server is being managed well, the worst that malware on an end-user device can do is obliterate anything that hasn't made its way to an offline backup, and it will be very difficult to obliterate server-side shadow copies.

Re:Corrupted backups can be rescued

[jandrese]

Cryptowall specifically overwrites all shadow copies of files.

Re:Corrupted backups can be rescued

[bloodhawk]

it deletes LOCAL VSS copies. He is talking about server based VSS, which if you have turned on would indeed give you a good recovery option.

Re:Corrupted backups can be rescued

[pwizard2]

Not always. I'm not sure if the Cryptowall authors are just incompetent, but it sometimes leaves the shadow copies intact. A user at work was hit with Cryptowall last year. There were no backups at that time, but I managed to recover nearly everything from shadow copy. Oddly, the malware also jumped to one of the shares, but left most of them untouched.

Pull vs Push backup solution?

[ehud42]

I suspect most backup software on the computer pushes the backups to a network share somewhere that I suspect these ransomware packages go looking for and encrypt those files as well.

What if the backup system was remote and pulled the data from a network share on the client. If the client is infected, the infection cannot get to the backup file locations because they are not shared.

I realize this is not trivial for average users to setup, but I'm exploring this option for my home network. Setup NAS type server that looks for read only network shares accessable to userid BACKUP and slurps up any files it finds. Have it keep some kind of version control of a few days (multiple copies). Now when any new system is setup in my house (kid's laptops, wife's desktop, etc) I just have them create a read only share of their personal folders with a userid BACKUP and appropriate password.

Thoughts?

Windows only?

[txoutback]

Does the ransomware only work on Windows machines, or can it also affect *NIX/Mac/Android operating systems?

Re:Windows only?

Yes, it's Windows only. Of course, the articles never mention this important fact.

Re:Windows only?

[mlts]

Right now, Windows... but I wouldn't be surprised to see it on OS X and UNIX operating systems since it would be quite easy to write. It would be simple to write a shell script that fetched a public key from key servers, did a find command, passed the output to PGP or gpg to encrypt files, then wipe the old .doc files.

At least with UNIX, there are programs like amanda and bacula which can be used in client/server mode so that malware on a client can't touch the backup server and its data.

Re:Windows only?

Also easily defeated in any number of ways.

First, .doc files? Who on Unix/Linux uses those? More likely .odt files. So let's assume the malware, running as you, tries to encrypt your .odt files. If you've done something smart like make OpenOffice/LibreOffice/whatever setuid to user "office" and all the .odt files writable only by user "office", then you can still edit them to your heart's content but the malware won't easily be able to touch them. (Okay, there are a few more subtle details to this -- directory permissions and such -- but that's the idea.)

Of course even most Linux users (and distros) don't set things up this way -- but they could.

Re:Windows only?

>the articles never mention this important fact.
But it kinda does.

Re:Windows only?

[mlts]

SGID is one way, but there are other ways to separate programs. Docker and containers comes to mind. Of course, there will need to be a mechanism that allows a user to move/copy/link a file between the *Office and MUA containers, but that can be easily dealt with.

single purpose device, key

[raymorris]

We use two strategies. First, the backup device is ONLY a backup device. It doesn't have a web browser and it's not used for email. We use very large servers to backup our customer data, but on a small scale you could use a Raspberry Pi, an old router with OpenWRT, or a smart NAS. Because the device handling backups has no desktop or services, it shouldn't get infected. Access is strictly limited - either console only or strong ssh keys, perhaps through a VPN first. The backup device can be so restricted because it doesn't need to be useable for anything but pulling backups.

Its access to the machines it backs up can also be extremely limited. The ssh key of the backup device is only allowed to run rsync with pull arguments. So even if the backup device were compromised, it can do no harm.

A pity hard write protect is no longer an option.

[Ungrounded+Lightning]

When you use a usb drive, you'll be safe, until someone plugs it into that machine not knowing that as soon as they do, it will begin encrypting what's accessible on that usb drive.

Disk drives - hard, floppy, etc. - used to have a hardware write protect feature. (Switch, punched-notch, etc.) Set it and there was no way the stored content could be changed. A backup that you'd set would not be vulnerable to rewrite attacks when plugged into an insufficiently-cleaned machine to restore the files.

Then drives came out where software could override the write protection.

Then the feature went out of fashion. Drives were apparently a bit cheaper that way.

A pity.

If it won't run in a Virtual Machine...

[dmgxmichael]

Wouldn't one way to stop it be to fake being a virtual machine? I'm sure that would start a cat & mouse game as they make their VM detection algorithm more sophisticated, but I'm thinking the faking code would be easier to write than the detection code.

Fake the VM

Its not looking for virtualized operating systems. Its looking for virtualized application environments such as what you find within acrobat\adobe reader\flash when media files are being viewed. Adobe has, for a number of years, sandboxed their viewers so that malware could not use it as a vector. Now we have malware that is specifically designed to get around these security features.

I wonder about their key generation. 1% of RSA dec

[raymorris]

Around 1% of RSA keys are easily broken, meaning you could decrypt your data without paying the ransom. This is because about 1% of keys are weak in one way or another. I wonder about the key generation function this malware uses. If they are using one of the weaker algorithms to generate keys, many victims may be able to decrypt fairly easily.

Buy a Mac.

[Brannon]

Done.

Re:Buy a Mac.

For now.

Re: Buy a Mac.

Just don't use Firewire or Thunderbolt ports on your Mac. Simply seal up those ports with epoxy and hope that Lightning isn't next.

Simple Defense?

“It’s a pretty simple check looking for a common executable for VMware or (Oracle’s ) VirtualBox,” Carter said. “If it detects either, it assumes it’s in a virtual sandbox and will not execute. At that point, you don’t even have the [Cryptowall] code, just the dropper and not the actually Cryptowall binary that will run.

So would a simple defense be to "install" these files and/or registry keys on any system? Or perhaps identifying it as WINE with aregistry key would work?

Re:I wonder about their key generation. 1% of RSA

[hduff]

Around 1% of RSA keys are easily broken, meaning you could decrypt your data without paying the ransom. This is because about 1% of keys are weak in one way or another. I wonder about the key generation function this malware uses. If they are using one of the weaker algorithms to generate keys, many victims may be able to decrypt fairly easily.

Please check with the NSA about this strategy.

you missed my point

[davidwr]

Cryptowall specifically overwrites all shadow copies of files.

You missed my point. I was talking about a case where a user's desktop is infected but the user has a network share from a Windows Server mounted, and where the backup files are stored on that share.

Because it lacks administrative rights to the server, the infected desktop cannot directly erase the shadow copies on the server.

raymorris = "Run, Forrest: RUN!!!"

See subject & this -> http://slashdot.org/comments.p...

That's not the purpose for these lab machines

[davidwr]

There is a place in research labs for "true" virtualization/emulation, where a particular hardware environment is virtualized/emulated right down to the timing characteristics of the hardware it's pretending to be.

But randsomware authors are not interested at that. As in previous story they do price gouging how much you are willing to pay. As they won't get penny from vm they do not bother with these.

One purpose for research-lab "true" visualizations is to be successful honey-pots, allowing malware to be studied in a captive environment without giving away the fact that it's a captive environment.

Re:That's not the purpose for these lab machines

[leaen]

One purpose for research-lab "true" visualizations is to be successful honey-pots, allowing malware to be studied in a captive environment without giving away the fact that it's a captive environment.

If that would case they would add something better than looking for file which could be circumvented just by deleting it/not clicking install service button in virtualbox.

Re:That's not the purpose for these lab machines

[davidwr]

How do we know there isn't malware out there that is already using very sophisticated means of testing for "am I running on a VM or not"?

We probably don't know. It would be nice if we did. Short of pure luck, a "true virtualization" honeypot may be the only way to find out.

So how quick is it?

[Geeky]

Does anyone know if it aims to encrypt all your files quickly or over a time period to increase the chance of poisoning backups?

If the former, one mitigation might be to check file types on the backup? Assuming you do a backup to a different architecture, such as Linux, check file types - is a jpeg really a jpeg? Can it read plain text files? As soon as it finds one it can't, flag it up for investigation. Perhaps have a number of canary files, pull those first each time and compare them to known good copies stored in a non-shared filesystem on the backup machine, halting the backup if the file has changed in any way. It'd be a pain to set up, but once scripted it would all be automatic.

Question for cryptography gurus - does having a known good file or files increase the feasibility of decrpyting? I.e A file is encrypted. You have an unencrypted copy of it on read only media. Does that increase the chance of finding the keys used to encrypt A, and thus enable you decrypt other files for which you don't have good copies? Probably not, but thought I'd ask. Apologies if it's a stupid question before I get the piss ripped out of me ;)

Re:So how quick is it?

[partofthepuzzle]

In the system that I saw infected with CW 2.0, the encryption process seemed to have been relatively slow. The user noticed that something was weird was going on, put in a USB flash drive and copied their Documents folder to it. They saved approx half of the 200 or files before they were encrypted. I think the encryption pricess on CW 2.0 is just slow, rather than intentionally delayed but that's just my guess.

A couple of things to bear in mind: CW 2.0 basically leaves Windows in a normal bootable state. CW 2.0 launches it's ransom and warning msgs when you first boot but applications all run as expected. E.G. Word ran fine but of course you get an error message when you try to open a doc. Also, CW 2.0 doesn't need any special permissions or to run as Administrator: it's only accessing the data files available in the context of the user.

Re:So how quick is it?

[Swave+An+deBwoner]

Malware gets changed over time but here's a video from Sophos named "Watch CryptoLocker in action":

https://www.youtube.com/watch?v=Gz2kmmsMpMI

Looks like it just encrypts whatever it can right away, not a little today, a little more tomorrow.

VERY GOOD (mine does too & others like it)

I populate my custom hosts file via 12 reliable security community sources & articles + posts like yours (thanks) via APK Hosts File Engine 9.0++ 32/64-bit -> http://start64.com/index.php?o... to get more speed, security, reliability online & more (details shown in link as to those benefits specifically are enumerated there in that link).

* Courtesy "yours truly", 100% free & hosted + recommended by the BEST security team, MalwareBytes, on the planet per this very recent test of efficacy http://www.av-test.org/en/news... on their website here -> http://hosts-file.net/?s=Downl... )

Enjoy... & kudos to you!

APK

P.S.=> "Onwards & UPWARDS"... apk

"Exactamundo"... apk

It is more efficient & here's how you can get the best custom hosts there is easily http://it.slashdot.org/comment... from 12 reputable & reliable security community sources via this program of mine:

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o...

(Details are there, or in the 1st link above, for what it can do for you for more speed, security, reliability, & even anonymity + more...)

* To quote Howard Stark from the film "Captain America":

"It's as strong as steel & a third the weight"

(Especially vs. browser addons,crippled by default OR owned by advertisers to be so, and in slower heavier messagepassing bound usermode vs. hosts in kernelmode, AND, vs. DNS, using less power, complexity + room for breakdown & slower remote queries by being the 1st default queried by the IP stack itself... complimenting DNS by lightening up request loads for admins of them AND fixing their redirect poisoned, DNS amp attacked, & downed issues...)

APK

P.S.=> Enjoy... apk

You might find this useful... apk

It uses your source + 11 others in the security community http://it.slashdot.org/comment...

APK

P.S.=> Good post from you too - nice to see yet another of 100's here alone on this site using custom hosts files for more security, speed, reliability & even anonymity (to an extent only on the latter unfortunately though) online... apk

Y'all seen this?

[CaptainDork]

Please provide your email address [1] and an encrypted file [2] that has been encrypted by CryptoLocker. This portal will then email you a master decryption key along with a download link to our recovery program that can be used together with the master decryption key to repair all encrypted files on your system.

Found it at this site.

Reputable security firms Fox-IT and FireEye collaborated on the free DecryptoLocker project, which provides a simple way for CryptoWall victims to recover their files and their privacy.

Disclaimer: I read this stuff but I know nothing more than that.

There's more in the source article... apk

See subject: For specific payload + C&C Servers for cryptowall here -> http://blogs.cisco.com/securit...

* Enjoy...

APK

P.S.=> Gotta love the source articles & the folks producing the data for custom hosts files for blocking these malwares... apk

Cryptoprevent

[paj1234]

The article says that the malware works by creating temporary .exe files in the folder specified by the %appdata% environment variable. Eg "C:\Documents and Settings\[username]\Application Data". As does numerous other malware.

FoolishIT's "Cryptoprevent" utility uses Windows' "Software Restriction Policies" to try and stop .exe files from running in the %appdata% location. It is a good idea so for what it's worth, here's the URL: https://www.foolishit.com/vb6-...

ABSOLUTELY: Hosts work here... apk

I populate my custom hosts file via 12 reliable security community sources & articles + posts like yours (thanks) via APK Hosts File Engine 9.0++ 32/64-bit -> http://start64.com/index.php?o... to get more speed, security, reliability online & more (details shown in link as to those benefits specifically are enumerated there in that link).

* Courtesy "yours truly", 100% free & hosted + recommended by the BEST ( MalwareBytes ), on the planet per this very recent test of efficacyhttp://www.av-test.org/en/news/news-single-view/17-software-packages-in-a-repair-performance-test-after-malware-attacks/ on their website here -> http://hosts-file.net/?s=Downl...

Enjoy... & kudos to you for having the good sense to use hosts files where they apply (TONS of places for more speed, security, & reliability online) AND your pointing out the article source which has MORE DATA on blocking this malwares' C&C servers etc., here -> http://blogs.cisco.com/securit... specifically/for your & others' reference!

APK

P.S.=> IMPORTANT: ANOTHER EXCELLENT SOURCE (vs. CryptoLocker that's FAR MORE COMPREHENSIVE) -> http://garwarner.blogspot.com/... (Gar Warner's excellent - He posts here & did once, hence how I obtained his excellent works' analysis...)... apk

An EXCELLENT SOURCE vs. this... apk

See subject: Vs. CryptoLocker - an excellent source (that's FAR MORE COMPREHENSIVE than the list from CISCO I provided from our article here today) -> http://garwarner.blogspot.com/...

* :)

Enjoy!

APK

P.S.=> On a SIDE note: Gar Warner's (researcher from that blog) an excellent THOROUGH security researcher - He posts here & did once (hence how I obtained his excellent works' analysis, & a HUGE very comprehensive list of CryptoLocker's C&C + infested rigs etc. online)

... apk

CryptoCraap

OK, take this comment as coming from someone who has little knowledge of how things work. Maybe a half step above JoeSurfer but barely.

Is there not a way to permanently ban your machine from ever encrypting all or certain files regardless of privileges? Perhaps two factor?

Is there even a way to get your machine to at least pop a window and ask if you actually want to encrypt all your files? Sometimes I can't even delete a file on my machine myself.

Is there ANY AV software that can detect Crypto stuff before it actually executes? What about DecryptoLocker?

Is there anyone in the cyber world that is tracking these people down (personally) and making an example of them? I would like to see what happens when they encrypt a cartel chief's computer. Then we'll see if these people can be tracked down if enough money (and violence) is thrown at it.

I wonder if anyone at Anonymous has had their files encrypted? I would be interested in seeing that cyber battle.

DNS Server, not hosts

[Tenebrousedge]

Hosts is of dubious efficacy compared to an actual DNS server.

Advantages:

• Pattern matching (*.adserver.yahoo.com)
• Works for all devices on the local network
• You can use real DNSBLs
• You can use real DNSWLs
• You can combine whitelists and blacklists: deny *.yahoo.com; allow mail.yahoo.com
• You can return NXDomain instead of a possibly-valid IP address
• It's generally faster and more resource efficient than hosts

APK is delusional and fundamentally doesn't understand DNS. Don't be APK.

Hosts by default is cached in memory by Windows, which if you have a huge hosts file is going to eat up a ton of memory. Unless it's paged to disk, or if you've disabled the DNS client service, and in that case you will be hitting the disk with every request. This is unlikely to be faster than a local network request. Also if you've disabled the client service (this is almost a requirement for an APK-style hosts file), you have disabled indexing, so you have to read the file line-by-line to figure out if a domain is a match, for each request. Any sites not in your list require reading the entire file.

If you care about security, you should run your own local DNS server. You should also use an ad blocker, which will prevent many requests to ad networks from even being made. The hosts file is for temporary and machine-specific DNS changes, like if you're developing a website and need http://test.local/ to point to your local web server. It's better to have an actual domain registered and and a subdomain, but it's not a big deal. Hosts is a bad solution for almost anything else. Having a program to manage your hosts file is just writing a really shitty, stupid DNS server.

I know I'm going to be trolled for weeks — again — for saying this, but someone has to.

Older Cryptowall

[davidwr]

Older versions of CryptoWall didn't wipe the shadow copies.

DNS = security issues & higher power bills

See subject: Can ghostery/adblock do 16 things hosts do for more speed, security, & reliability:

1.) Secure vs. known malicious sites/servers (beyond malicious adbanners: See 2-6 next)
2.) Protect vs. fastflux using botnet attack + stop their communications back to their C&C servers
3.) Protect vs. dyn dns using botnet attack + stop their communications back to their C&C servers
4.) Protect vs. DGA/domain generation algorithm botnet attack + stop their communications back to their C&C servers
5.) Secure vs. downed DNS servers (adds reliability)
6.) Secure vs. DNS redirect poisoned dns servers
7.) Protect vs. DNS Amplification attacks
8.) Get past a dnsbl you may not agree with
9.) Keep you off dns request logs
10.) Block trackers
11.) Block spam sources
12.) Block phishing sources
13.) Speedup websurfing not only adblocking but also hardcoding favorite sites
14.) Work on ANY webbound app (think stand-alone email programs, for example).
15.) Give you direct easily notepad/texteditor controlled data for all of the above
16.) Do all of those things & block ads (better than addons) more efficiently in cpu cycles + memory usage

* DNS = redirect poisoning (Kaminsky flaw & 99% of ISP DNS' are not patched), DNS Amplification attack, & more complexity/room for breakdown + exploit & higher power bills.

APK

P.S.=> The ANSWER ="NO" to each enumerated item above as far as Ghostery/AdBlock:

Ghostery's Advertiser owned - "A fox guards the henhouse"-> http://en.wikipedia.org/wiki/G...

AdBlock's 4++gb & 100% CPU usage inefficiency -> https://blog.mozilla.org/nneth... + ClarityRay defeats it.

Both do less than hosts do & less efficiently - hosts do MORE w/ less.

Both add more complexity/room for breakdown from a slower mode of operations (usermode = more messagepassing overheads vs. hosts in kernelmode).

Hosts start w/ the IP stack itself before REDUNDANT inefficient addons BEGIN to operate, w/ also as 1st resolver queried too

... apk The b

Re:DNS = security issues & higher power bills

Hosts start w/ the IP stack itself before REDUNDANT inefficient addons BEGIN to operate, w/ also as 1st resolver queried too

Wrong. Very little of anything you're saying has anything to do with the post you're responding to. More evidence that you simply do not understand DNS. Anything you can do in a hosts file, you can do with a DNS server, and DNS servers can do many things that a hosts file can't. Like the things listed in the GP post. Blocking all of the .ru top-level domain? One config line. Do you know what's better than hard-coding your favorite sites? Whitelisting them, and blocking everything else. Do you have any idea what the difference in speed is between kernel mode and user mode? Because that one hasn't been humanly noticeable since your programming skills were relevant, about thirty years ago by now.

Your software was obsolete before you started writing it. Hosts is completely broken compared to a real local DNS server. You wrote a DNS server, and it's crap. Also you're completely psycho, and everyone knows it.

Addressing YOUR bs #1 of 7... apk

"Hosts by default is cached in memory by Windows, which if you have a huge hosts file is going to eat up a ton of memory. Unless it's paged to disk, or if you've disabled the DNS client service, and in that case you will be hitting the disk with every request." - by Tenebrousedge (1226584) on Thursday January 08, 2015 @02:33PM (#48767567)

WRONG: The local kernelmode diskcache caches hosts into RAM (hosts are just a file & that's what the diskcache does).

DNS doesn't use memory &/or CPU cycles? WRONG! It makes you use MORE OF THEM by using more moving parts complexity (which leads to its security issues & being down so much).

APK

P.S.=> Continued in my next 6 posts vs. your "so-called 'points'" I've easilly proven off/wrong... apk

Addressing YOUR bs #2 of 7... apk

"This is unlikely to be faster than a local network request." - by Tenebrousedge (1226584) on Thursday January 08, 2015 @02:33PM (#48767567)

You own machine's memory queries of hosts cached = FASTER than dns requests on a LAN (not local to your machine, hosts are in local machine RAM) & faster than remote DNS, for sure!

APK

P.S.=> Continuing addressing your bs & disproving it in my next 5 posts, point-by-"so-called 'point'" of yours, easily... apk

Addressing YOUR bs #3 of 7... apk

"Also if you've disabled the client service (this is almost a requirement for an APK-style hosts file), you have disabled indexing, so you have to read the file line-by-line to figure out if a domain is a match, for each request. " - by Tenebrousedge (1226584) on Thursday January 08, 2015 @02:33PM (#48767567)

WRONG - Hosts are cached by kernelmode faster OS diskcache & dnscache client is a USERMODE SLOWER service - for your favorite sites where you spend MOST OF YOUR TIME ONLINE @ THE TOP OF A HOSTS FILE = faster!

E.G. - I keep 25 favorite sites of mine @ the top of my hosts file: That is where I spend 95++% of my time online per my router logs analyzed!

I keep it in kernelmode with hosts using the diskcache & IP stack also (both are kernelmode vs. slower usermode)...

Clue & FACT: FOLKS SURF THAT WAY, not to "every possible host-domain/subdomain under the sun everyday"... that equates to approximately 2-3 MILLION indexed seeks in a SLOWER remote DNS (subject to TONS of security issues like redirect attacks, amplifications attacks, etc. that hosts aren't).

That USERMODE SLOWER dnscache also has issues with larger host files & BREAKS DOWN!

APK

P.S.=> P.S.=> Continued in my next 4 posts vs. your "so-called 'points'" I've easilly proven off/wrong... apk

Addressing YOUR bs #4 of 7... apk

"Any sites not in your list require reading the entire file." - by Tenebrousedge (1226584) on Thursday January 08, 2015 @02:33PM (#48767567)

I'd waste more time on adbanners if hosts didn't block them (they do along with MANY OTHER THREATS online) & for my favorite sites (25 here) @ THE TOP OF MY HOSTS FILE, that's 95++% of the time being as fast as possible, from LOCAL SYSTEM MEMORY & the kernelmode diskcache (keeping it pure kernelmode faster vs. dnscache client usermode slower, combining local kernelmode diskcache with the kernelmode PnP IP stack).

Covering this again vs. this b.s. from you (I did in my earlier 3 posts also):

CLUE: FOLKS SURF TO A FINITE NUMBER OF FAVORITE SITES, not "every host-domain/subdomain under the sun"... this is HOW & WHY hosts are faster than remote DNS & time taken querying it + resolving & returning it from a remote locale vs. local system memory (like hosts in kernelmode diskcache RAM with your fav. sites @ the TOP of the hosts file - immediate FASTER resolution by far vs. remote DNS).

APK

P.S.=> Continued in my next 3 posts vs. your "so-called 'points'" I've easilly proven off/wrong... apk

Addressing YOUR bs #5 of 7... apk

"If you care about security, you should run your own local DNS server" - by Tenebrousedge (1226584) on Thursday January 08, 2015 @02:33PM (#48767567)

DNS has security issues: Redirect poisoning, Amplification attacks, being downed etc. - hosts cure that, by not using DNS for your favorite sites hardcoded @ the top of hosts (immediate queries & faster from LOCAL system kernelmode diskcache memory (not slower usermode) + WHERE YOU SPEND MOST IF NOT ALL OF YOUR TIME ONLINE mostly - covered already in my earlier posts...).

DNS also adds complexity & thus, room for breakdown + exploits as well as inefficiency w/ more moving parts to power (raising powerbills thus, also).

APK

P.S.=> Continued in my next 2 posts vs. your "so-called 'points'" I've easilly proven off/wrong... apk

Addressing YOUR bs #6 of 7... apk

"You should also use an ad blocker, which will prevent many requests to ad networks from even being made.
" - by Tenebrousedge (1226584) on Thursday January 08, 2015 @02:33PM (#48767567)

Addons are WAY inferiority in abilities + less efficient than hosts http://it.slashdot.org/comment... + addons do far less than hosts for added speed, security, reliability, & anonymity even - by far!

Prove those points wrong!

* Go for it - you'll need a MIRACLE to prove your way out of that one...

FACT: Hosts do MORE with LESS & they do MORE BY FAR vs. addons - no questions asked + from a FASTER MODE OF OPERATIONS (kernelmode via local diskcache & IP stack in combination working with one another... vs. addons in usermode adding messagepassing overheads + layering on more... & for what? TO DO LESS THAN HOSTS?? Yes...)

APK

P.S.=> Prove these points from my other reply to you wrong also (good luck, you'll need it) regarding browser addons inferiority (& DNS') to hosts files -> http://it.slashdot.org/comment... ... apk

Addressing YOUR bs #7 of 7... apk

"APK is delusional" - by Tenebrousedge (1226584) on Thursday January 08, 2015 @02:33PM (#48767567)

You're no psych pro & use illogical adhominem attacks on me (thus you're NOT proving your "points" at all, whatsoever)

PROVE EACH OF MY POINTS HERE IN THESE LINKS WRONG THEN (from my prior replies to you that easily proved YOUR "so-called 'points'" WRONG):

http://it.slashdot.org/comment...

http://it.slashdot.org/comment...

http://it.slashdot.org/comment...

http://it.slashdot.org/comment...

http://it.slashdot.org/comment...

http://it.slashdot.org/comment...

http://it.slashdot.org/comment...

* You'll fail! You already have, point-by-"so-called-'point'" of yours!

---

"and fundamentally doesn't understand DNS. Don't be APK." - by Tenebrousedge (1226584) on Thursday January 08, 2015 @02:33PM (#48767567)

I understand it, + DNS shortcomings in efficiency (more complexity & higher power bills), & security (DNS amplification attacks, DNS redirect poisoning attacks, being downed, rogue DNS servers out there, etc.) - do you?

Evidently not.

I don't write a DNS server (I could with my own code - could you? Evidently not) since hosts cure all of those shortcomings in DNS with something you already have - hosts with less complexity, room for breakdown/exploit, & less power consumption + less of a learning curve than DNS - by far, on ALL of those grounds...

APK

P.S.=> b>Hosts also do DNS admins a HUGE FAVOR lightening up DNS request loads using fav. sites @TOP OF HOSTS cached in kernelmode diskcache driven RAM (which YOU COMPLETELY OVERLOOKED, genius)

Hosts also shore up DNS' numeroius efficiency shortcomings (higher power bills, more moving parts room for breakdown, layering on MORE to do the same things as hosts (needlessly) & security issues in DNS (redirect poisoning, amp attacks, etc.) that hosts stop by avoiding DNS & resolve faster from your own system vs. remote DNS)... apk

Can't prove my points on hosts wrong eh?

Can addons do all these things hosts can (NO) -> http://it.slashdot.org/comment... as well as more efficiently? Hell no, lol!

Hosts do MORE, from 1 single native kernelmode driven part you have already, with less!

(Which is WHY you're avoiding those points, clearly...)

---

When you use DNS servers, you expose yourself to security issues they have (DNS Amplification attacks, Redirect poisonings, etc.)!

By comparison - hosts overcome that easily with a native part you already have in KERNELMODE (IP stack & diskcache in combination in fact)... not slower usermode like addons.

DNS use adds complexity + a steeper learning curve

AND

YOU'RE INEFFICIENTLY LAYERING ON "MORE" needlessly - thus also raising your powerbill + CPU & RAM consumption too (putting on more layers of things you DON'T NEED, in addons + DNS even).

---

Hosts also lighten up DNS server request loads (bonus) & COMPLIMENT dns thus, as well as overcoming their security shortcomings (noted above) by avoiding remote DNS.

APK

P.S.=> Denying those points above? Go for it - you'll FAIL - just as you have on my points on hosts doing more than addons & more efficiently, for less, in the 1st link above... apk

Hosts operate via IP stack 1st

See subject: What starts first - the IP stack + diskcache (kernelmode) or browsers (usermode slower & messagepassing overheads bound + inefficient as hell, ala AdBlock -> https://blog.mozilla.org/nneth... crippled by default (since it was bought out/'souled-out' to advertisers to do so, deceiving users since MOST WON'T CHANGE THAT DEFAULT & advertisers know it, & NOT DOING ITS JOB FULLY).

As to the rest of TenebrousEdge's "so-called 'points'"? I dusted them, point by point...disprove them (good luck - you'll need it... more like a miracle)... heck - he overlooked diskcaching of hosts into MEMORY for Pete's sake (his biggest fail).

Lastly, per my subject-line:

You better look at the resolver order in windows in the registry (which you can raise hosts to 1st easily as I do)... no matter what though, hosts are in operation since the IP stack hosts is part of operate before browser addons ever do (& before browsers they put more inefficient messagepassing + memory & cpu bloat onto).

Adding on MORE (addons) to do LESS (addons) != efficiency. Hosts do more, with less (from a single native part you already have).

APK

P.S.=> Answer = hosts start up first, since the kernelmode subsystems driving them do... no questions asked! ABOVE ALL ELSE, you can't show addons doing more with less, vs. hosts -> http://it.slashdot.org/comment... you have FAILED...

... apk