Slashdot Mirror
Inside Cryptowall 2.0 Ransomware
msm1267 writes: If you need more evidence that ransomware is here to stay, and could turn into cybercriminals' weapon of choice, look no further than Cryptowall. Researchers at Cisco's Talos group have published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this threat, such as its use of the Tor anonymity network to disguise command-and-control communication. But perhaps more telling about the commitment around ransomware is the investment attackers made in its capabilities to detect execution in virtual environments, building in many stages of decryption present before the ransomware activates, and its ability to detect 32- and 64-bit architectures and executing different versions for each.
Most malware is surprisingly benign. I've been saying it for years.
If you wanted to get really nasty, you can do these kinds of tricks and the thing will be damn-near scary to contract.
The problem is that we've bred a generation of people who see malware as nothing more than a distraction. Who will go to "uninstall" to remove it, thinking that's to be trusted, who don't realise that something running in the background is a problem once you close the advert it pops up.
At some point, something like this is going to be combined with a handful of never-seen-before exploits and it'll go across the globe and take weeks before there are effective patches to get rid of it. But the scary part is that the first few seconds of infection are all that's needed to totally control your ability to use your computer and access your data.
Maybe then we'll get proper application whitelisting / sandboxing by default in a desktop OS. And, hell, why do applications get the run of every file I use under my account? Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why? Why is the data store not immutable and applications only get a link to the data IF they are allowed access to it? And thus nothing ever actually runs "as" the user, but only as its own separate user with similar permissions and only the files necessary.
Malware could be a lot worse than even this. Why it isn't yet, I haven't figured out - I presume because money-making is at the heart of it now rather than actually malintent with your data. But that won't last forever.
I'm sorry, but the very concept of a virus scan happening "at scheduled intervals" or after you've already double-clicked on the file just tells you that it's too late before you start. We've got away with it for decades in desktop OS, but it can't continue forever.
Getting a virus on my networks scares the crap out of me. People think I overreact when I just remote-off the machine (or tell them to pull the plug) and just re-image for even the most basic of adware. Fact is, I didn't install it and I have no idea what it ACTUALLY does. And I'll be damned if it's going to get the chance to go on my shared areas and do anything, even with file history, backups, etc. available.
The best protection is to pull your backups not push. You have whatever is performing you backups connect into the machine, and then pull the backups, not having your machine being backed up connecting to the destination and pushing. That way, the machine can be compromised but it has no clue that it's even being backed up (since it's simply a share that's being used.)
Great and interesting, good to be aware of this possibiilty! But what if the machine that is pulling is infected? How do you know that is not happening?
In reading TFA, having an executable called VBoxService.exe or vmtoolsd.exe seems like a sure fire way to have it skip right over you, as it thinks you're running inside a VM.
Cyptowall is very sophisticated. It will go into online backups and encrypt them too. If you are using a common online backup it can find those and encrypt those too. The best protection against this is a usb backup in a drawer.
Cyptowall was recently being distributed by yahoo ads via a compromised flash ad http://news.yahoo.com/yahoo-ad.... You could have received it by going to your favorite news site.
I use Crashplan. Couldn't they use a canary of some kind? In my online account I define a file that is just plain text or a key. I upload the text content of that file to my account while the local backup software doesn't know about this. I point to where this file is located in my backup, and it should be identical. Whenever this file is encrypted (or changed), I get an alert via mail. Then I know something is messing with my backup or with my local files.
It's detecting the guest services, rather than the VM as such. VirtualBox at least will be no defense unless you run the guest services. OTOH, a fake guest service should defeat Cryptowall. Create a service named "VBoxService.exe" or "vmtoolsd.exe" which does nothing.
Ooh, moderator points! Five more idjits go to Minus One Hell!
Delendae sunt RIAA, MPAA et Windoze
A lot of people have been talking about backups and the fact that even your backups can be compromised. And that's true. The solution is versioning and rotation. If I'm compromised today, the files on Crashplan will be uploaded as encrypted files. But since they have versioning, I can go back 30 days or so and get the older versions. I may lose some data depending on how long I've been infected, but I'll be able to get some data back. The only other solution is to run a daily/weekly/monthly backup scheme that keeps your monthly backups for a year (or longer if you are really paranoid). It means you need 5 separate disks for each week and then another 12 for each month, which most people aren't going to want to do. Eventually the ransomware people will get patient and encrypt your files but allow access for 3-6 months before telling you.