Angler Exploit Kit Evasion Techniques Keep Cryptowall Thriving

msm1267 writes: Since the Angler Exploit Kit began pushing the latest version of Cryptowall ransomware, the kit has gone to great lengths to evade detection from IDS and other security technologies. The latest tactic is an almost-daily change to URL patterns used by the kit in HTTP GET requests for the Angler landing page, requests for a Flash exploit, and requests for the Cryptowall 3.0 payload. Traffic patterns as of yesterday are almost unrecognizable compared to those of as recent as three weeks ago.

BECAUSE IDIOTS PAY IT!

"While Angler still pushes out various malware payloads, it seems to have taken a liking to Cryptowall 3.0." - Because idiots pay it!

Re:BECAUSE IDIOTS PAY IT!

You seem confused. Paying the ransom is the best option for some people. Not everyone who doesn't test their backups on a non-Internet-connected machine is an idiot.

Re:BECAUSE IDIOTS PAY IT!

[mlts]

Unfortunately, as it stands right now, even with rapid growth, ransomware is approaching its infancy. I'm not going to be surprised when the next CryptoWall releases go after Active Directory and enterprise-level resources, as opposed to local items and the network share or two.

Three reasons why this is:

1: There are no SOHO backup systems to defend against it. If you can get the user to not restore in 30 days with most cloud backups, their data is gone... and some cloud backups may just only keep the latest (useless) version. Plugging in a USB flash drive, backup drive, using a NAS, or using a Time Capsule works against disasters like HDD failure or accidental microwaving of a laptop... but all ransomware has to do is zero out the backup drive... or just punch random holes in stored files so they are worthless. A lot of newer machines don't have optical drives, much less decent backup software to get the user to back up to them.

If you want a real defense against ransomware, it takes an external backup server which pulls data, stores it where the client machine cannot access or destroy it, and can store images for weeks to possibly years (because as ransomware evolved [1], it will be running longer before it gets detected.) However, not many home users will buy a PC with some drives, slap Windows Server 2012 R2 Essentials on it (which replaces Windows Home Server), and use that to pull backups from their desktops. There are appliances that do this... if you want to pay $50,000 to Symantec for a NetBackup appliance, and have the rack space for it.

What is really needed is a standard, cross platform backup client that not just allows for files, but snapshots (so open files can be copied) and entire machines, so bare metal restores are easy to accomplish, be it a restore to a local drive, or via the network. For authentication, something similar to SSH. This way, a user can buy an appliance, log onto the console, set up backups (perhaps RSA key exchanges), set up schedules, and call it done. More features (encryption, deduplication) can be added... but the main thing is getting backups going in the first place.

2: The infection vectors are still there. For example, a malware writer might write code to take advantage of a compromise/buggy browser add-on, it goes through an ad server, and winds up nailing people visiting even mainstream sites.

Even ten years later, the Web browser is still the primary infection vector. Even with virtual machine and container technology, if an add-on gets nailed, there is a good chance it can seize the entire browser, and thus a user context. Even with just the context of a browser add-on, it likely can read and write to any documents the user has access to. Add a few more exploits, it can run unfettered as a user, or even get admin/root rights so it can reflash the firmware on drives, video cards, keyboards, and other items.

This can be limited by running the browser in a VM or sandbox, but most users won't be doing this, so it is only a matter of time before the next add-on has 0-days, and just visiting a site results in compromise.

3: Not as bad as drive-by compromises, but Trojans are still an issue. On Linux, BSD, and OS X, this is less of an item, since users are conditioned to use a repository. Windows still is wild and wooly when it comes to this, and even if one does visit the right download site, it might be a mirror decided to pack some additional "functionality" into the installer, and re-sign that with their own Authenticode key, so it passes the signature check test.

The possible fix? MS having a store that allows for more than just Metro applications to be installed and updated, preferably with active, brutal curation. That way, if a user wants a copy of WinZip, they just fetch it from the store, rather than risk a compromised website, mirror, CDN, or app installer.

Ransomware is going to be with us a long time, just because it does well at going after the low hanging fruit, and with what is available (domain admin rights, for example), just encrypting files is just the initial salvo in this battle.

[1]: It pretty much a fact that malware, as a whole, is the absolutely best code when it terms of quality, robustness, and updates.

Re:BECAUSE IDIOTS PAY IT!

Foa SOHO can't you just do something simple like have a cron job that compresses and mirrors the data to another device (NAS or SAN) on the network that does not have direct access to the drive via physical interface. The NAS device could be configured to grab vs pushing data.

Re:BECAUSE IDIOTS PAY IT!

[DigiShaman]

It will only go after AD if the Domain User account is a member of Domain Admins, Schema, etc. Even IT Administrators should have their own User account, and leave the one for Domain Admin as a utilitarian account. Because, if you're a member of those high level privileges and run the virus, it will run with whatever your account has access to!

Here's a previous article on the subject. Be sure to block My_Resume.zip and My_Resume.svg from e-mail in the meantime.

https://threatpost.com/cryptow...

Re:BECAUSE IDIOTS PAY IT!

Not everyone who doesn't test their backups on a non-Internet-connected machine is an idiot.

Yes, yes they are.

Or their data isn't worth anything even to them.

Re:BECAUSE IDIOTS PAY IT!

[mlts]

I'm reading this as basically creating a tar file of the machine and documents, throwing it to a remote machine's incoming directory, and that incoming machine moving the file to somewhere inaccessible to the client?

This is a way to do it, but might be better to just have the NAS or other appliance initiate the pull so the data can be better stored in snapshots.

Re:BECAUSE IDIOTS PAY IT!

[grumpy_old_grandpa]

I agree with most of what you say, although I have a hard time following some of it: For example, even on Windows, you can use basic tools like ssh and rsync, I believe. Set up a crontab'ed rsync from an external machine like you say, and you're good. One-way public key authentication. That's (relatively) easy and inexpensive.

Which leads me to the cost of such a system. In my case, I have two decommissioned laptops (even a Raspberry Pi 2 would do the job) bought for $50 in two separate locations from my house. Each has a 3 TB external USB disk, bought about three years ago. I do incremental of /home very day, and full back up twice a month. Never deleted anything. DSLR pictures comes extra (one time is enough; don't need redundant unchanged incrementals), and I don't find it necessary to back up porn and piratebay downloads. I'm currently at 30% free space left, so will probably buy a new pair of 6-8 TB disk in a year or so. Average cost per year is at around $100-150, I guess.

Granted, this is not for everybody. Then I again, this system covers my family, including parents. So yeah, not a business, if that is what you meant. However, scaling this up is not going to go exponential. Randomly picked server hosting I could find is at $1000 / year; there's probably many cheaper options out there. If that covers a business of 5 - 10 people, the cost per head is about the same.

Re:BECAUSE IDIOTS PAY IT!

[Solandri]

Plugging in a USB flash drive, backup drive, using a NAS, or using a Time Capsule works against disasters like HDD failure or accidental microwaving of a laptop... but all ransomware has to do is zero out the backup drive... or just punch random holes in stored files so they are worthless. A lot of newer machines don't have optical drives, much less decent backup software to get the user to back up to them.

This is something I've never understood. External hard drives should have a read-only toggle switch. It will help protect the drive against malware infections. And I know I'm not the only one who's made the bone-headed mistake of copying the corrupted file over the good backup, instead of the other way around.

Re:BECAUSE IDIOTS PAY IT!

C:\>format c:

install Linux. install Firefox. install adblock plus, ghostery, and noscript addons for firefox.

Where are your threats now?

Re:BECAUSE IDIOTS PAY IT!

No, you're confused. You're paying criminals to write better malware because their attack succeeded.

Re: BECAUSE IDIOTS PAY IT!

How about a write, but no modify switch? So you can still backup to that drive, but no overwriting is allowed, new files only. I'd probably use that if I could.

Re: BECAUSE IDIOTS PAY IT!

[mlts]

This does exist, and is the UDF filesystem. This allows writing in packets and sessions, without affecting existing data on media. However, having a hard drive controller enforce this (to prevent a blkdiscard /dev/sda or a dd if=/dev/zero of=/dev/sda) would take some engineering.

Next to an appliance, the real answer to this might be good old fashioned tape. The newer LTO drives can use WORM media, can be hardware set read-only, and encryption can be set on the drive itself. However, tape has wound up being aimed at the enterprise. Maybe if some maker of the LTO consortium made a drive that could tolerate lower speeds and run at USB 2.0 as a low common denominator, this would improve the ability to have reliable backups.

Re:BECAUSE IDIOTS PAY IT!

[mlts]

I read people saying the exact same thing about Macs, with statements that OS X is "100% secure". After recent events, I don't read much about that (although with the fact that most Mac programs are downloaded from a secure repo does help put the kibosh on Trojans.)

Linux isn't bulletproof. There are new programs that wind up even in enterprise distros that can wind up being avenues for remote attack. Plus, Firefox under Linux will behave the same if compromised just as Firefox under Windows does. I do agree the AdBlock/ghostery/noscript addons are the most important frontal defense, arguably more important than an AV program, but nothing is completely secure, not even on Linux.

This isn't to bash Linux... but it isn't invulnerable, especially if it started picking up traction on the desktop.

Re:BECAUSE IDIOTS PAY IT!

Write once media is still for sale. I use it for tax records and other important backups such as vacation photos.

Re:BECAUSE IDIOTS PAY IT!

Mac OSX plain and simple is a customized (free) BSD re-packaged/modified/sold. The BSD license allowed them to take others' code and sell it. They did. They increased margins by forcing users to flee windows yet ONLY ON THEIR PROPRIETARY HARDWARE. So, dummies thought OK anything but Windows! I will pay, sure. Finally, they wised up and dropped proprietary hardware requirements. Had they not entered other markets, it would likely have been way too late.

BSD and Linux run on PPC too by the way. PPC was always weak in comparison to Intel. To stay relevant, Apple accepted better hardware. Intel. You get walled garden treatment as part of the deal though. The entire attraction to Mac are feelings of "it's not Windows" and "it's high class". "wow doge so smart" Well, it's BSD with money behind it because they sell it to unsuspecting clucks. Of course it is more stable than Windows, BSD > Windows. People are lead to believe it is better because it costs more. A very stupid conclusion but somewhat accidentally justified because it is in fact better than Windows.

Linux has no restrictions, it is free all day all night and you (anybody) can see the source code. This doesn't mean everybody looks at the source code, but many do. The droves rely on those that do look at it. The point is, people CAN and DO look at it. If something is sneaky then HEY, here comes a code auditing hero yelling loudly across internet tech forums/blogs/sites etc. Awesome. Internet bro fist, all that.

The last major Apple trojan I remember was injected by visiting a Mac OSX dev site. I forget which one, no need for me to look, you can do it. But you brought up Mac, I was speaking of Linux.

Linux isn't bulletproof . Rootkits although VERY unlikely are possible. What you don't see are botnets of Linux servers like you do with Windows. A compromised Firefox in Linux won't likely get you the escalated privileges it will in Windows. (hello su) If you block all scripts (NoScript addon) when you click on say, some .cn link you never heard of etc, you are ahead of the game. (Many people do not even know what a universal resource locator when stated as such.) You can enable scripts again to surf your bank's site, etc on the fly. There are a couple wise parameter switches in about:firefox to address too DYODD.

You can use SELinux for eg., or
http://lifehacker.com/linux-security-distros-compared-tails-vs-kali-vs-qub-1658139404

3d snowd3n us3d tails.

This isn't to bash Linux... but it isn't invulnerable

Without physical access to a machine, Linux is extremely secure. Even better when you are behind a router that is likely running on Linux if you knew it or not. You are just saying nothing is perfect. Every encryption is readily available for free with Linux as well. It was already free and available way way before bitlocker and buying/upgrading to a "pro" (lol) version of windohs to be able to use it.

if it started picking up traction on the desktop

It has. Once it gets full momentum, Windows should be erased and put in a museum. Windows is a stupid design from the get-go. It's a monolith. I can not imagine Billy doesn't realize Linux is a smarter design than Windows. He is about the money and looking like he did it all in the name of philanthropy and love. Shyster. Anti-trust. His money is money from all the plebs. Somebody else would do far better at philanthropy on behalf of the world's PC OS expenses than him. 100% sure.

If you aren't already using Linux, you are missing out. distrowatch.com
PC-BSD is a likewise simple install if you want to learn BSD too. http://www.pcbsd.org/

Documentation is better in general with Linux because there's money behind some of it. Both are free to use and each is far more stable, secure, and functional than Windohs. Windows is like a cyst that grew since Windows 3.1 days.

Joke? Windows 10. I saw this a while back, it will

Re:BECAUSE IDIOTS PAY IT!

Linux on the desktop is going to be a tough call. Which distro is standard for packages? .rpm? .deb? .tar.gz? With systemd, a package has to be able to start via systemctl or SVR4, as each has different startup mechanisms, so it takes being aware and coding the absence/presence of it. Then, there are libraries.

Linux suffers from the same problem that Android does -- fragmentation. There is no "reference" platform a coder can use. Instead, the best a company can do is select a number of platforms like RedHat and code for that. For example, Symantec NetBackup has a very limited list of Linux distros, not even CentOS makes the list.

Application/game makers also want DRM... well, not the devs, but the marketing people who control the purse strings and order the devs what to write. Lets be real here: You are not going to see Call of Duty, HALO, or a top tier game title on Linux anytime soon.

What does a Mac give over Linux? Hell, Apple does major changes under the hood all the time, so an application from five years ago may be useless today. The days of "the fastest OS X yet" are also gone. However, Macs give a controlled platform that if someone writes an application for OS X, they really don't have to worry about the hardware or configuration of the machine it is running on. Even though Apple has given the middle finger to the enterprise for management, they have the best, most supported, with applications, desktop OS out there next to Windows.

What does Windows have? You won't be running a company without it unless you have very cheap manpower to throw at things. OpenLDAP and Zimbra might work on a low level, but there is a reason the big boys use Office, Exchange and AD, and it isn't out of love for MS's stock price. On a large scale, good luck managing Linux desktops, while Windows has a ton of tools (GPOs for starters) to keep vast numbers of machines in line and auditable.

Finally, Linux isn't anywhere 100% secure. The past year of exploits in OpenSSL, bash and other items allowed for remote root. Systemd has a lot of untested code, and listens on the network, which means that it likely will spring remote root holes... and we haven't even scratched the surface about privilege escalation issues with all this new code. Linux doesn't even have much in the way of context protection (SELinux helps, but not in this situation), so if something gets control of the web browser, it has control of the user... and from there could probably find a root hole... and an infected Linux system would require a complete rebuild of the entire system, apps, and even shell scripts.

The reason why this hasn't happened often, is that the bad guys have found Windows a juicy, tempting target... far more a target than Linux servers. However, as Microsoft tightens the screws (both on the server side with Docker functionality in containers, normal VMs, and thin VMs, as well as clients which require a TPM for W10 certification), Linux may start to wind up on the menu for the bad guys... and ransomware on Linux would be a lot easier to write (tools like GnuPG, scp, dd, fstrim, and blkdiscard make it almost trivial.)

This isn't to say any OS is 100% better than another. However, Linux doesn't solve every problem, nor can OS X, nor Windows.

Re:BECAUSE IDIOTS PAY IT!

Linux on the desktop is going to be a tough call. Which distro is standard for packages? .rpm? .deb? .tar.gz?

[they all work fine.] there is a lot good to be said about rpm, but you can use apt, yast, etc. i prefer zypper.

urmpi was excellent when i used to run mandrake cooker back in the days. [they all work fine.]

With systemd, a package has to be able to start via systemctl or SVR4, as each has different startup mechanisms, so it takes being aware and coding the absence/presence of it. Then, there are libraries.

[they all work fine.] All magically happens behind the scenes these days. Dependency Hell is a non-issue. It just works. [they all work fine.]

Linux suffers from the same problem that Android does -- fragmentation. There is no "reference" platform a coder can use. Instead, the best a company can do is select a number of platforms like RedHat and code for that. For example, Symantec NetBackup has a very limited list of Linux distros, not even CentOS makes the list.

[they all work fine.]Neither Linux nor Android suffer from "fragmentation" as you put it. It doesn't magically confuse people when add two that don't, then make a combined false claim about each.

"reference" platform? You can code in any language you care to and compile binaries for any/all distros. VLC, Firefox, name it. There are ready-to-go binaries for all distros. It's not some issue, everything works great. You can also take any distro and locally compile for your machine's hardware. You have literally every possible option. This is why Fortune 500's, search engines, supercomputers, governments, etc use Linux.. and not Windows. More clearly, again, NOT Windows. Zero supercomputers on top500.org running Windows. None. They can afford billions of $USD on hardware and staff you think they couldn't use Microsoft or Apple OS's if they were better?

[they all work fine.]

Application/game makers also want DRM... well, not the devs, but the marketing people who control the purse strings and order the devs what to write. Lets be real here: You are not going to see Call of Duty, HALO, or a top tier game title on Linux anytime soon.

[they all work fine.] Steam is DRM and it runs on Linux. You made an absolute misleading series of statements again. PS4 is BSD kernel, I can guarantee you those are "top tier game titles". If you can do it with BSD, you can do it with Linux. The reason they haven't is because Windows is still allowed to monopolize OEM PC bundles. Windows OS comes on your PC. This sucks. That's my point. I addressed this above. The point of sale retailers are often not tech enough make an educated comparison, and people like you come through trying to convince and complicate and confuse. You try to craft all these false assertions in a way that fools people into the hype. Not all are fooled. I am certainly not. [they all work fine.]

What does a Mac give over Linux? Hell, Apple does major changes under the hood all the time, so an application from five years ago may be useless today. The days of "the fastest OS X yet" are also gone. However, Macs give a controlled platform that if someone writes an application for OS X, they really don't have to worry about the hardware or configuration of the machine it is running on. Even though Apple has given the middle finger to the enterprise for management, they have the best, most supported, with applications, desktop OS out there next to Windows.

These statements have no flow. I will address them anyway. Mac has nothing over Linux. Not one thing. The best thing about a Mac is you can run Linux on it. You can run Linux on the majority of devices. And everyday people are allowed to audit the source with Linux. That is a big deal and why the big boys all use Linux.. Amazon, Google, name it. You can chec

Maybe try a hosts file

I'm thinking a good hosts file probably would help.

Re:Maybe try a hosts file

Hey! APG, you forgot to identify yourself!

Not a Federal priority

[Okian+Warrior]

As many people have pointed out, it's straightforward to set up a honeypot that triggers the exploit, pay the ransom, and then follow the money.

Many people are affected by ransomware. If the US made fixing this problem a priority, many *people* would be relieved of anguish and suffering.

Instead, the feds look into crimes against corporations. How's that investigation into fiber cutting in San Francisco coming along?

Or crimes against authority. What was the cost versus benefit of the Silk Road investigation?

If the US made *people* a priority, it would get done.

(And for the record, Bitcoin is not anonymous and we have agreements with other countries for criminal activity. )

Re:Not a Federal priority

Put the Bitcoins in a tumbler or convert them to DarkCoin. Now trace them....

Re:Not a Federal priority

[mlts]

Now that's the rub. All it takes is for the trail to hit a country that is overtly hostile to the US, or just not willing to cooperate, and the trail goes cold. For example, if the perp who made malware tools was situated in Yemen, Brazil, or Venezuela, the local government would be giving the person accolades for doing such a thing.

As for Bitcoins, they are definitely traceable. However, efforts like tumblers and CoinJoin may be new and holes found, but they are getting better, and if combined with an exchanges that would trade BTC for another currency, that would leave the trail cold. If worse comes to worst, there will be someone who makes a BitCoin 2.0 that has anonymity built in.

US law enforcement can't really fix this problem, just because it is almost invariable that any investigation will lead outside of the country's borders, forcing any police work to become an international effort, and other countries tend to really not care if a foreign citizen gets taken for a ride, as opposed to investigating domestic issues.

This is a problem that has to be fixed by technical means. Legal means will not really work here.

Re:Not a Federal priority

[pr0nbot]

What's a tumbler? A tumble dryer? (I'll admit I often lose coins there.)

Re:Not a Federal priority

Why is it always the US has to fix it? And if they do fix it they will still need to swallow a large ration of shit from the people standing in the corner holding their coats. And as far as helping only evil corporations goes it would only be fair to recognize that these corporations provide millions of jobs to the *people*. Jobs not only for those working directly for the corporation but also for all the jobs created down stream. One example would be MS. Think of how many IT jobs that have been created over the past 25 years because of MS products.

Antivirus is useless.

https://www.virustotal.com/en/file/2dfd43d6776b5712e5fd9d82d3a6b5d0097d2b9371915539ed0b88f4097224a8/analysis/

This sample came in nearly a day ago. When I first saw it hours after, only 5 detected it. As of this posting it's roughly at 28/56. The other half that don't detect it is the lower end of the AV spectrum, along with MSE.

It took about 6 hours after the sample came for the heavy dogs: NOD32, Kaspersky, BitDefender and etc to detect it.

Re:Antivirus is useless.

[DigiShaman]

It's polymorphic, so yeah, AVs won't find it. It's executes random, in random memory, does it damage to files and drops a few HELP_DECRYPT.HTML files in whatever directory got hit. Then it terminates itself.

It does this to prevent reverse engineering and detection by AVs. Also, it won't run in VM environments so as a snapshot can be created to reverse engineer it too, so I've read. I haven't confirmed that part however.

I believe the payload is hosted in random Google Doc sites.

Our saving grace, perhaps?

[mlts]

This may be our saving grace, something as simple as doing one's work in VMs, using the bare metal OS pretty much as a hypervisor and method to back up the VM images. With SSDs, this makes the job easier (because booting an OS isn't that I/O intensive, but you have multiple instances fighting for the drive head on conventional HDDs, which causes I/O slowdowns across the board.)

VMs are one of the few tools that can fight ransomware effectively. If the software doesn't play and deletes itself, no major loss. When hypervisors start getting "smarter" and are able to use heuristics to detect zero day infections that are hidden to the OS in a VM, this will raise the barrier significantly. Of course, the ability to roll back to a known, good snapshot in seconds completely negates ransomware's ability to destroy stuff, forcing the software to have to be inactive for a long period of time to hide its functioning.

Re: Our saving grace, perhaps?

[DigiShaman]

Yes and no. Malware such as CryptoWall goes after the user data specifically. It can run for days or months without detection. By the time you figure out something ain't right, the first task is to figure out how deep that rabbit hole to hell goes. You can't simply roll back to a previous snapshot without losing all subsequent productivity. You will have to perform some reconciliation with data due to undetected daily data destruction. It's not a fun day to deal with that!

Re: Our saving grace, perhaps?

That's why I have a system drive and programs/data drive. System drive can be reformatted, there is no loss except time. The data drive is backed up regularly to 2 other drives but months apart, in case last backup was infected. Anything that's a work in progress goes to a flash drive that's usually not plugged in.

Currently looking into disguising a normal windows install as a VM just for shits n giggles.

Re: Our saving grace, perhaps?

Sounds more useful than just shits and giggles. If a lot of modern viruses refuse to run in VMs then turn your primary machine into a VM and then you're safe!

Re: Our saving grace, perhaps?

Well you never know. It isn't as simple as they refuse to run. It's gotta run something to do the check first. So nothing's stopping them from having it download "escape the VM and nuke the host" or a keylogger or the old version instead of new ransom-ware they wanna keep secret.

Re: Our saving grace, perhaps?

[mlts]

For now that is. Right now, malware writers are going for low hanging fruit, who don't even know what a VM was, or if they ran one on their desktop, would complain about performance (not knowing the VM disk images belong on a SSD, or at least their own spindles to not contend with the host desktop OS [1].

Once VMs gain traction (say someone combines dedupe with COW and applications wind up with their instance of an OS with just the footprint of the application so VMs become as common as applications with their own separate stack/heap are now), it will be a different story. We will start seeing attacks on hypervisors start being attempted [2], but since hypervisors have historically been built from the ground up for security, this will help mitigate things. Of course, as stated elsewhere, the bad guys can always have their code pull chaff such as a fake malware instance to lead researchers on rabbit trails.

[1]: Desktop OS. This isn't as big an issue with ESXi, especially with compute nods and big fat disk caches on the HBAs or CNAs.

[2]: Mixed bag. I'd like to see hypervisors get hardened, but if there is some sort of attack at the CPU level, that means malware in one VM has it made on the entire machine... and there would be no way to ever address that short of tossing the CPU or entire machine.

Re: Our saving grace, perhaps?

[mlts]

There has been a few cases where I've ended up doing a V2P migration (which is extremely rare, but usually for something that, by policy, has to be on its own hardware, or that I create the VM and get the app in place and tested, then image it to a machine's bare metal for production use via WIM or another mechanism.) I'm sure these will leave the VMWare client files running, but not doing anything, similar to how a Hyper-V to VMWare migration leaves the Hyper-V files present.

In fact, if one turns on Hyper-V in Windows 8 and newer, it might register as a VM to malware, even though it essentially is just a single instance.

Ideally, depending on environment, I've found that separating the system from programs under Windows is tough. Reinstall the system, and most programs will need to be reinstalled due to Registry entries missing. Some programs can allow this (mainly MMOs, oddly enough -- WoW, Rift, EQ, and EQ2 can be split off and run on a Windows instance without reinstallation), but most won't. So, for Windows, keeping one's data separate is more of a focus than splitting the application from the OS.

OS X has a similar issue (mainly because /Applications can't really be moved to a separate partition [2], but I could be wrong.) However, it is easy to move /Users to another partition.

Other operating systems, a system, application, and data separation makes sense. In AIX, this is something you are supposed to do, so you can have multiple rootvgs available [1]. Linux, it is good as well, since you can split /opt off and reinstall without affecting applications.

[1]: In high security installs of AIX, no process has root. UID 0 can be configured to be just a schmuck user. To update these where no process has the ability to install software, the rootvg needs to be rebooted, another instance of AIX loaded that will do the OS updates to the secure one, then the machine (or LPAR) gets booted back to the secure OS root.

[2]: Wish Apple would bite the bullet and add ZFS into OS X as a root filesystem (and not via FUSE.) This way, it really doesn't matter where what data is physically located where, other than the code for booting.

Something missing from the summary

There is something missing from the summary and that is Cryptowall only runs on Microsoft Windows. Why this discrimination against oPen SOurce ?

Re: Something missing from the summary

You're actually wrong.