Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inside Cryptowall 2.0 Ransomware

Posted by Soulskill on from the just-another-crypt-in-the-wall dept.

msm1267 writes: If you need more evidence that ransomware is here to stay, and could turn into cybercriminals' weapon of choice, look no further than Cryptowall. Researchers at Cisco's Talos group have published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this threat, such as its use of the Tor anonymity network to disguise command-and-control communication. But perhaps more telling about the commitment around ransomware is the investment attackers made in its capabilities to detect execution in virtual environments, building in many stages of decryption present before the ransomware activates, and its ability to detect 32- and 64-bit architectures and executing different versions for each.

36 of 181 comments (clear)

  1. Cyptowall is very sophisticated by roccomaglio · · Score: 4, Informative

    Cyptowall is very sophisticated. It will go into online backups and encrypt them too. If you are using a common online backup it can find those and encrypt those too. The best protection against this is a usb backup in a drawer. Cyptowall was recently being distributed by yahoo ads via a compromised flash ad http://news.yahoo.com/yahoo-ad.... You could have received it by going to your favorite news site.

    1. Re:Cyptowall is very sophisticated by rvw · · Score: 3, Interesting

      The best protection is to pull your backups not push. You have whatever is performing you backups connect into the machine, and then pull the backups, not having your machine being backed up connecting to the destination and pushing. That way, the machine can be compromised but it has no clue that it's even being backed up (since it's simply a share that's being used.)

      Great and interesting, good to be aware of this possibiilty! But what if the machine that is pulling is infected? How do you know that is not happening?

    2. Re:Cyptowall is very sophisticated by rvw · · Score: 5, Interesting

      Cyptowall is very sophisticated. It will go into online backups and encrypt them too. If you are using a common online backup it can find those and encrypt those too. The best protection against this is a usb backup in a drawer.

      Cyptowall was recently being distributed by yahoo ads via a compromised flash ad http://news.yahoo.com/yahoo-ad.... You could have received it by going to your favorite news site.

      I use Crashplan. Couldn't they use a canary of some kind? In my online account I define a file that is just plain text or a key. I upload the text content of that file to my account while the local backup software doesn't know about this. I point to where this file is located in my backup, and it should be identical. Whenever this file is encrypted (or changed), I get an alert via mail. Then I know something is messing with my backup or with my local files.

    3. Re:Cyptowall is very sophisticated by cdrudge · · Score: 4, Informative

      Cyptowall was recently being distributed by yahoo ads via a compromised flash ad http://news.yahoo.com/yahoo-ad.... You could have received it by going to your favorite news site.

      That article makes no mention of a compromised flash ad. It actually doesn't mention any type of compromise or flash. Yahoo ads served up an ad that took people to a server that could lead to a compromise. Just visiting a page that had that Yahoo ad didn't compromise your machine.

    4. Re:Cyptowall is very sophisticated by jiriw · · Score: 5, Informative

      First, the machine pulling backups has completely different interaction with the 'world' than your average system-to-be-backed-up. I assume you're not reading e-mail, PDFs or surf the web on the system you use for data backup. Also, it should not execute any of the data it's backing up so the actual backup process should not be an attack vector for malicious software.

      If you still want more security you could choose for the machine pulling backups to actually have a different hard and/or software platform than the machines it pulls the backups from. For example, you could have windows desktops and shared SMB partitions that contain the stuff to be backed up and a Linux NAS with Samba client doing the backups using a cronjob. Make sure that, if the NAS does have Samba server as well (for network shares) your backups are not available through them because, as we know of Cryptowall, it will also encrypt network data the infected system have write access to.
      There is virtually no malicious software that can infect multiple distinctly different hard / software platforms in the same attack. Although in this particular instance (Cryptowall 2) it does make use of two processor architectures, x86 and AMD64 to do its things...

    5. Re:Cyptowall is very sophisticated by drooling-dog · · Score: 4, Informative

      Cyptowall was recently being distributed by yahoo ads via a compromised flash ad

      That's why my hosts file includes these entries (among many others):

      127.0.0.1 count.3721.yahoo.com
      127.0.0.1 yahooads.valuead.com
      127.0.0.1 yahoo.nuggad.net
      127.0.0.1 agyahooag.112.2o7.net
      127.0.0.1 yahoo.ivwbox.de
      127.0.0.1 adserver.yahoo.com
      127.0.0.1 ae.adserver.yahoo.com
      127.0.0.1 au.adserver.yahoo.com
      127.0.0.1 cn2.adserver.yahoo.com
      127.0.0.1 hk.adserver.yahoo.com
      127.0.0.1 in.adserver.yahoo.com
      127.0.0.1 us.adserver.yahoo.com
      127.0.0.1 pn1.adserver.yahoo.com
      127.0.0.1 pn2.adserver.yahoo.com
      127.0.0.1 tw2.adserver.yahoo.com
      127.0.0.1 a.analytics.yahoo.com
      127.0.0.1 y.analytics.yahoo.com
      127.0.0.1 srv1.wa.marketingsolutions.yahoo.com
      127.0.0.1 srv2.wa.marketingsolutions.yahoo.com
      127.0.0.1 srv3.wa.marketingsolutions.yahoo.com
      127.0.0.1 advision.webevents.yahoo.com
      127.0.0.1 ts.richmedia.yahoo.com
      127.0.0.1 adjax.flickr.yahoo.com
      127.0.0.1 nz.adserver.yahoo.com
      127.0.0.1 sg.adserver.yahoo.com
      127.0.0.1 br.adserver.yahoo.com
      127.0.0.1 cmk.tw.yahoo.overture.com
      127.0.0.1 cn.adserver.yahoo.com
      127.0.0.1 tw.adserver.yahoo.com
      127.0.0.1 be.adserver.yahoo.com
      127.0.0.1 dk.adserver.yahoo.com
      127.0.0.1 eu-pn4.adserver.yahoo.com
      127.0.0.1 fr.adserver.yahoo.com
      127.0.0.1 nl.adserver.yahoo.com
      127.0.0.1 se.adserver.yahoo.com
      127.0.0.1 uk.adserver.yahoo.com
      127.0.0.1 de.adserver.yahoo.com
      127.0.0.1 es.adserver.yahoo.com
      127.0.0.1 gr.adserver.yahoo.com
      127.0.0.1 it.adserver.yahoo.com
      127.0.0.1 no.adserver.yahoo.com
      127.0.0.1 s.analytics.yahoo.com
      127.0.0.1 visit.webhosting.yahoo.com #[WebBug]
      127.0.0.1 geo.yahoo.com
      127.0.0.1 cm.tw.overture.com #[cm.tw.g.ysm.yahoo.com]
      127.0.0.1 cm.west.yahoo.overture.com
      127.0.0.1 cmh.tw.yahoo.overture.com
      127.0.0.1 cmx.tw.yahoo.overture.com
      127.0.0.1 ad.antventure.com #[any-world.ngd.ysm.yahoodns.net]
      127.0.0.1 ar.adserver.yahoo.com
      127.0.0.1 ca.adserver.yahoo.com
      127.0.0.1 cookex.amp.yahoo.com
      127.0.0.1 launch.adserver.yahoo.com
      127.0.0.1 mx.adserver.yahoo.com
      127.0.0.1 o.analytics.yahoo.com
      127.0.0.1 z.analytics.yahoo.com

    6. Re:Cyptowall is very sophisticated by Anonymous Coward · · Score: 2, Informative

      I wouldn't be surprised to see this actually be a niche market, similar to NAS appliances.

      There is quite a lively backup appliance market. For example these can do pretty much everything you described.

      [1]: Yes, this kills deduplication... but there are some machines which need to be secured in case the backup appliance gets hacked.

      You are also completely right here, there is a constant battle between security and deduplication.

      Full Disclosure: Posting AC because I am a developer at Unitrends.

    7. Re:Cyptowall is very sophisticated by aaarrrgggh · · Score: 2

      Most of the NAS drives out there have a Linux shell available. We rsync from there whenever possible, and the workstation or server does not have rights to the NAS box.

      Nothing is perfect, and the ransomeware might figure out ways to skirt these protections. It really comes down to defense in depth against different threats-- multiple types of backups. The concern I have now is out of space challenges once encryption starts.

    8. Re:Cyptowall is very sophisticated by mlts · · Score: 2

      Interesting appliance offerings. The 312 and the other desktop model appear quite useful for almost everyone, if the price is right. Just the fact that malware can't go in and "rm -rf /" the device adds significant protection.

      The 312/313 look interesting. The $4000 price point isn't cheap, but trying to do something similar, like building a PC with Windows Server 2012 R2 and then finding an application to do the backups, may run into higher costs overall.

      IMHO, be it a Unitrends appliance, a machine running bru [1], NetBackup, or anything along those lines, are a must for businesses these days. The Cryptowall/CryptoLocker malware is only going to get worse, and be able to do more stuff [2]

      [1]: bru is the only backup utility that allows you to install and restore stuff without having to input a serial number. Quite useful. It also has been around since the early 1990s, and is tried and true. Wish it came with RedHat like it did in ages bygone.

      [2]: I will not be surprised to see malware/ransomware start getting even more sophisticated to the point of encrypting files, but having a low level driver in place that allows access... then at some certain date, all file access is locked out. This way, even backups will not be usable. It would also be modular so that it would hook into programs like Mozy, CrashPlan, Carbonite, and others, and encrypt the data as it is sent up.

    9. Re:Cyptowall is very sophisticated by DigiShaman · · Score: 3

      I've personally seen a workstation get hit with a 0 day exploit drive-by-download in Firefox. It's these 3rd party ad server farms that get hacked and start serving out this shit. Doesn't matter if it's Yahoo, CNN, Drudge, MSNBC, Fox News...etc. If they have a contact with one of these ad agencies (and they all do), all it takes is for one of the infected servers to rotate into view for the end user. Really nasty stuff.

      Workstation patch management (Windows Security update, app updates etc) helps, but I've blocked TOR traffic from inside corporate firewalls. So far it seems to help keep the command and control from trying to root further into an infected machine. Regardless, if it got infected, it gets nuked and paved with a fresh image.

      My approach at dealing with Cryptowall evolves as it does.

      --
      Life is not for the lazy.
    10. Re:Cyptowall is very sophisticated by tlhIngan · · Score: 4, Insightful

      I wouldn't be surprised to see this actually be a niche market, similar to NAS appliances. A box that one plops down, configures, installs a client on Windows, OS X, or Linux, and can do the basic range of backups, be it files, or complete bare metal OS images. A file restore would be just accessing the backup client. A complete image restore could even be telling the appliance to map a USB port to a virtual bootable image, boot the machine via the USB port, and let the application code do the rest from there. That way, the machine is never on the network in a vulnerable state.

      Technically, Microsoft created one, then canned it, as usual.

      Windows Home Server contained an EXCELLENT network backup utility - it did image-based backups (but can do file-based restores easily), deduplication, is not accessible via SMB shares, fast, cheap, and a whole lot more. The only downside was it was Windows-only - it could only do NTFS disks because it relies on Volume Shadow Services and on disk-tracking (it finds out what actually changed on disk between runs so it only needs to backup the changed content).

      It was a great backup, restore and upgrade tool - the recovery program was a bootable CD, and the drivers it needs are stored with the backup so all you need is a USB thumbdrive, copy a specific folder off the machine's backup and use it with the boot CD so the boot CD can access hard drives and network.

      And it was automated - every night every machine would get backed up.

      But as is typical for Microsoft, they canned WHS and let the backup program in it die because well, it was too useful.

    11. Re:Cyptowall is very sophisticated by vux984 · · Score: 2

      The "trouble" with windows backup, is that it has read/write access to the backup store. Which means if your computer is compromised by cryptowall, cryptowall has read / write access to the back up store... so crytowall can encrypt your backup archive files/ indexes... whatever else.

      Secure backup from something like this, needs to be client/server. The computer must not be able to see the backup archive files directly.

      If you save the backups on a network share; using separate credentials that only the backup runs under then *maybe* you'd be safer. But I still wouldn't count on it.

    12. Re:Cyptowall is very sophisticated by nmr_andrew · · Score: 2

      Exactly. I've been doing the same for more than the last decade, except using a second workstation as the backup device (as opposed to NAS).

      If the backup machine is on the same LAN, I export the drive (or directories) to be backed up read-only, mount them on the backup read-only, and copy using rsync

      If the machine is in a different location, I share a key pair and pull what I want backed up using rsync (over ssh) from the backup machine

      This is fairly bulletproof, and in no way can anything running on the original host modify the backup, aside from possibly replacing a changed file.

  2. Malware by ledow · · Score: 5, Interesting

    Most malware is surprisingly benign. I've been saying it for years.

    If you wanted to get really nasty, you can do these kinds of tricks and the thing will be damn-near scary to contract.

    The problem is that we've bred a generation of people who see malware as nothing more than a distraction. Who will go to "uninstall" to remove it, thinking that's to be trusted, who don't realise that something running in the background is a problem once you close the advert it pops up.

    At some point, something like this is going to be combined with a handful of never-seen-before exploits and it'll go across the globe and take weeks before there are effective patches to get rid of it. But the scary part is that the first few seconds of infection are all that's needed to totally control your ability to use your computer and access your data.

    Maybe then we'll get proper application whitelisting / sandboxing by default in a desktop OS. And, hell, why do applications get the run of every file I use under my account? Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why? Why is the data store not immutable and applications only get a link to the data IF they are allowed access to it? And thus nothing ever actually runs "as" the user, but only as its own separate user with similar permissions and only the files necessary.

    Malware could be a lot worse than even this. Why it isn't yet, I haven't figured out - I presume because money-making is at the heart of it now rather than actually malintent with your data. But that won't last forever.

    I'm sorry, but the very concept of a virus scan happening "at scheduled intervals" or after you've already double-clicked on the file just tells you that it's too late before you start. We've got away with it for decades in desktop OS, but it can't continue forever.

    Getting a virus on my networks scares the crap out of me. People think I overreact when I just remote-off the machine (or tell them to pull the plug) and just re-image for even the most basic of adware. Fact is, I didn't install it and I have no idea what it ACTUALLY does. And I'll be damned if it's going to get the chance to go on my shared areas and do anything, even with file history, backups, etc. available.

    1. Re:Malware by Shakrai · · Score: 4, Interesting

      Maybe then we'll get proper application whitelisting / sandboxing by default in a desktop OS. And, hell, why do applications get the run of every file I use under my account? Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why?

      The answer is functionality. Let's consider the example of Android, an OS with a fairly recent security model, built on top of Linux which provides for chroot. Why not put apps into their own chroot jail by default? Seems like a good idea, right? How do you explain to Grandma why she can't upload photos from her camera's image gallery to Facebook? Oh, you'll solve that problem by putting the photos in a public directory? Okay, that eliminates the functionality concern, but now you're right back where you started with exposure to ransomware....

      People think I overreact when I just remote-off the machine (or tell them to pull the plug) and just re-image for even the most basic of adware.

      It's not an overreaction, that's y response as well but I would have to ask you why you're getting adware in your environment? In the gigs where I've worked as in-house IT I can count the number of ad/malware infections we've had over the years on one hand. I'm fairly proactive about training my users and maintaining a solid security model. Have a decent security package, don't allow your users to be admins on their local machines, and train them in common sense steps to avoid ad/malware. That will eliminate the lion's share of infections. Conversely, when I worked in consulting it seemed like all we did was remove ad/malware; it got to the point where it was readily apparent that we were deliberately not proactive because being so would have reduced our billable hours. That's one of many reasons why I quit that job....

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    2. Re:Malware by 0123456 · · Score: 2

      For a start, an app like Facebook should only have read-only access to your photos. That still provides the opportunity to steal your naked pics and upload them all over the web, but not to delete them.

      Of course, if the malware is already using exploits to install, it may also be able to use exploits to escape any such protection.

      But this is now a huge problem, which needs to be fixed. The days when you could trust even supposedly legitimate software not to do bad shit with your shit are over. No software should have access to anything it doesn't need access to.

    3. Re:Malware by Nite_Hawk · · Score: 5, Interesting

      Malware could be a lot worse than even this. Why it isn't yet, I haven't figured out - I presume because money-making is at the heart of it now rather than actually malintent with your data. But that won't last forever.

      I suspect it's because the powerful people in the world largely care little about computers, virsuses, downtime, etc. To them it's all just mysterious technical mumbo jumbo that is of little interest to them. Extortion is a little more clear though. Someone is trying to fuck them, and that tends to get people riled up. Riling up folks like us is one thing, but statistically speaking sooner or later malware like this will inadvertantly fuck someone who's capable of things like armed abduction, torture, and death. You have to have a lot of faith in the anononimity of bit torrent that you won't be found by one of these kinds of people.

    4. Re:Malware by Shakrai · · Score: 2

      For a start, an app like Facebook should only have read-only access to your photos.

      What if I want to save photos posted by a friend to my device? Now Facebook needs write access to the file structure. Do you propose having multiple directory structures and chroot jails for something as simple as photos? With nothing being able to access / except for the OS?

      No software should have access to anything it doesn't need access to.

      I agree with you in principle but I'm playing devil's advocate to try and illustrate the point that it's not as cut and dry as we would like it to be. I used the example of Android because it's an OS that was created by intelligent people in the day and age where these threats are well known. It also has the theoretical advantage of being an OS where apps don't typically have to interact with the data stored by other apps (the obvious exception is photos), which should make it easier to chroot them, but as soon as you drill down into the nuts and bolts you realize that doing so would eliminate all manner of useful functionality.

      Keep in mind your end user target audience too. How hard was it for Microsoft to get the MSCE crowd used to user account control? UAC was not a new concept but the introduction of it into the Microsoft world threw many of their most knowledgeable users into a confused tailspin. It was even worse for the end/home users without technical backgrounds. Now imagine the headache of trying to introduce chroot'ing into a consumer grade OS and making it the default behavior for applications. Want to import that chart from Excel into Word? Here's a UAC-like pop-up asking for permission. Need to insert that clip art you just downloaded in your browser into your PowerPoint presentation? Here's another UAC-like pop-up asking for permission. Do you see the problem?

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    5. Re:Malware by jythie · · Score: 2

      Why can we not get proper white listing or sandboxing? Look what happens when companies try to move that direction. Both Microsoft and Apple got hell for it every time they tried and ended up backing off. Chome and Mozzila are encountering similar problems as attempts break plug ins or websites that people use.

      Security issues are generally rare occurrences, while functionality one uses daily are immediately visible and annoying. Even within unix systems we see a constant push/pull between security and convenience. How many nerdy users are actually running SELinux and paying attention to the policies? A good chunk of the time, all but the most paranoid users will just allow anything that it takes to get their stuff running, all all that sudo abuse is not exactly helping.

      For that matter, look at what has happened to sudo over the last few years. Long gone is the usage of giving specific accounts access to specific commands, it is just used as one giant whitelist where any user can play root.

    6. Re:Malware by Shakrai · · Score: 2

      Then you can click a box saying 'yes, I really want to let this app save this file to this location'.

      So you're going to use an annoying UAC-like pop-up that will rapidly be ignored by 99.9% of the population because it appears so often as to be nearly useless?

      Does the Facebook app even let you save other people's pictures?

      Yes it does, but that's beside the point. Don't get hung-up on the particular example of Facebook, I only used it because it's an app used by the mainstream that needs access to the file structure for legitimate purposes. There are countless others, big and small, and if you're serious about this idea you're going to have to take them all into account and find a way to do it that isn't overly annoying or cumbersome to non-technical end users. Smarter people than either one of us have tried and failed to solve this problem....

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    7. Re:Malware by CreatureComfort · · Score: 4, Funny

      people might have to learn

      Oh. I see your problem right there.

      --
      "Unheard of means only it's undreamed of yet,
      Impossible means not yet done." ~~ Julia Ecklar
    8. Re:Malware by mrchaotica · · Score: 2

      Why is the data store not immutable and applications only get a link to the data IF they are allowed access to it?

      Because then somebody has to tell the computer which applications are allowed to access which data, and normal users can't be bothered.

      You know that we have such functionality now, right? All you have to do is use something like SELinux and set up the ACLs. But I doubt that even most people as security-conscious as you have actually spent the effort to use it.

      Malware could be a lot worse than even this. Why it isn't yet, I haven't figured out - I presume because money-making is at the heart of it now rather than actually malintent with your data. But that won't last forever.

      Most malware isn't "all that bad" for the same reason most diseases aren't like Ebola: if you kill the host too quickly, or provoke a strong anti-disease response, it's harder to spread.

      --

      "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz

  3. Cyptowall is very sophisticated by Anonymous Coward · · Score: 5, Insightful

    The best protection is to pull your backups not push. You have whatever is performing you backups connect into the machine, and then pull the backups, not having your machine being backed up connecting to the destination and pushing. That way, the machine can be compromised but it has no clue that it's even being backed up (since it's simply a share that's being used.) When you use a usb drive, you'll be safe, until someone plugs it into that machine not knowing that as soon as they do, it will begin encrypting what's accessible on that usb drive. I aways try to backup from outside of the context of what is being backed up. If it's a VM, I backup from the host, not from inside of the VM I need the data from. If it's a storage end point, I don't back up the files, I snapshot the volumes.

    It isn't always possible to do it that way, but doing it that way has saved my backside more than a few times.

  4. Re:Malware preventative measure by Technician · · Score: 2

    In reading TFA, a prevention may be to add the Tor list into your hosts file so it cant download a Tor client to continue. Add the list into your router blacklist can be out of reach of the malware to bypass the block.

    In the arms race this is effective on the current version. An update may have a new list of Tor download locations.

    Not sure if blocking TOR at the router is possible or effective.

    --
    The truth shall set you free!
  5. So how are these spread? by gstoddart · · Score: 3, Insightful

    How is this crap spread?

    Can I laugh at the people who have Flash enabled and let arbitrary sites run javascript? Or does this spread through some other vectors I don't know about?

    I suspect the problem is the idiots who write websites, who demand your browser run in the most insecure possible configuration so you can see their ads and other shit they've hidden behind code which needs to run on your browser.

    And I've always said I'm not willing to run my browser wide open just to make web sites work, because these things have been security holes for years.

    Browsers need to be a whole lot less trusting, and not default to just running any old thing which comes along. And certainly stop trusting scripts from 3rd parties and running whatever crap pile of Flash comes along.

    Unfortunately, users are used to seeing pages which give you detailed directions for re-enabling javascript and cookies.

    So to all you web developers out there who have ever written that page ... fuck you, you slimy bastard. It's partly your fault the internet is a shit hole.

    --
    Lost at C:>. Found at C.
  6. Re:Malware preventative measure by Anonymous Coward · · Score: 2, Interesting

    In reading TFA, having an executable called VBoxService.exe or vmtoolsd.exe seems like a sure fire way to have it skip right over you, as it thinks you're running inside a VM.

  7. How to prevent it from ruining my backups by hackertourist · · Score: 2

    My backups are done on a USB harddisk that's connected to the media server on my home network. Switch the HD on, and it'll appear and backups can be made.

    How can I prevent malware from changing my backups? Would it be possible/effective to mount the drive as write-only, making it impossible to change existing files?

  8. Re:Fake the VM by Knightman · · Score: 2

    In other words:
    copy notepad.exe VBoxService.exe
    Add VBoxService.exe to your autostart folder.

    1 minute fix to mitigate the risk a bit.

    --
    --- Reality doesn't care about your opinions, it happens anyway and if you are in the way you'll get squished.
  9. Versioning by jd142 · · Score: 4, Interesting

    A lot of people have been talking about backups and the fact that even your backups can be compromised. And that's true. The solution is versioning and rotation. If I'm compromised today, the files on Crashplan will be uploaded as encrypted files. But since they have versioning, I can go back 30 days or so and get the older versions. I may lose some data depending on how long I've been infected, but I'll be able to get some data back. The only other solution is to run a daily/weekly/monthly backup scheme that keeps your monthly backups for a year (or longer if you are really paranoid). It means you need 5 separate disks for each week and then another 12 for each month, which most people aren't going to want to do. Eventually the ransomware people will get patient and encrypt your files but allow access for 3-6 months before telling you.

    1. Re:Versioning by Pichu0102 · · Score: 3, Insightful

      This works until you realize the ransomware could go into your Crashplan settings and turn off versioning and keeping deleted files.

    2. Re:Versioning by error_logic · · Score: 2

      Unless it requires two-factor confirmation to change settings, like a verification code sent by text message.

    3. Re: Versioning by Pichu0102 · · Score: 2

      I can confirm it does not.

    4. Re: Versioning by Pichu0102 · · Score: 3, Insightful

      In theory, it could stop the Crashplan service, manually edit your backup set settings to have no versioning, and no deleted file keeping, restart the Crashplan service, and let it run through and prune all the files it thinks it should be pruning, then encrypt your files, let it back them up, and Crashplan dutifully prunes the old versions like the hijacked config file says to.

  10. Re:Fake the VM by Opportunist · · Score: 2

    I was thinking along those lines. If it protects itself by refusing to run in certain environments, maybe we could protect ourselves by giving it the idea that it does.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Re:One more reason to get away from Windows by Opportunist · · Score: 5, Informative

    Crypto$shit isn't something that can only run on Windows. The main reason why Windows is being attacked is the same why the most software is made for it: Its market share. If Linux had a market share of 90% (or however ludicrously high the share of that system still is), Linux would be the target. For exactly the same reason: It's where the money is. Why bother trying to infect 5% of the computers when you can go and try to infect 90% thereof?

    Next, they abuse the flaw in a third party product, something MS cannot even mitigate if they wanted. If you want to be mad at someone, be mad at Adobe, they're the one that produced that abominable turdfest called Flash. You think Flash is any more secure on Linux than it is on Windows? Think again. Why would Adobe put more brainpower behind the security of their A-league product on a minor platform than they do for the main platform?

    Better security in Linux, you say? Tighter control of permissions? Bzzzzt, nope, doesn't apply. What makes Crypto$shit so dangerous is exactly that it does not need any kind of elevated permissions. It does not want to touch any "system" areas, all it does is execute in the user context and encrypt files in the user's directory. That is something you can do on Linux with the permissions of the current user just as well as you can do it in Windows.

    And yes, I'm aware of the various "hardening" strategies that you can employ to make such an attack harder on Linux. ALL of them work as well on Windows. Ok, maybe not in every version of Windows because MS in their never ending wisdom thought security is for Enterprises only, hence the key security features are not available in their Home editions... but even for the "Homes" there is a way to do it. Very inconvenient and quite tricky to pull off, just like most would be in a Linux environment. Yes, it's possible. No, it ain't something Joe Randomsurfer would or even could do.

    So no. This time the "Windows sux" club does not strike. I wish for the best and I hope for less market share for that Moloch too, but this time they are not the ones to blame. If anyone is, try Adobe and them STILL NOT getting a grip on Flash security.

    It ain't like this is the first time that turd has been the attack vector, ya know...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  12. single purpose device, key by raymorris · · Score: 4, Informative

    We use two strategies. First, the backup device is ONLY a backup device. It doesn't have a web browser and it's not used for email. We use very large servers to backup our customer data, but on a small scale you could use a Raspberry Pi, an old router with OpenWRT, or a smart NAS. Because the device handling backups has no desktop or services, it shouldn't get infected. Access is strictly limited - either console only or strong ssh keys, perhaps through a VPN first. The backup device can be so restricted because it doesn't need to be useable for anything but pulling backups.

    Its access to the machines it backs up can also be extremely limited. The ssh key of the backup device is only allowed to run rsync with pull arguments. So even if the backup device were compromised, it can do no harm.