Inside Cryptowall 2.0 Ransomware 181
msm1267 writes: If you need more evidence that ransomware is here to stay, and could turn into cybercriminals' weapon of choice, look no further than Cryptowall. Researchers at Cisco's Talos group have published an analysis of a Cryptowall 2.0 sample, peeling back many layers of known commodities around this threat, such as its use of the Tor anonymity network to disguise command-and-control communication. But perhaps more telling about the commitment around ransomware is the investment attackers made in its capabilities to detect execution in virtual environments, building in many stages of decryption present before the ransomware activates, and its ability to detect 32- and 64-bit architectures and executing different versions for each.
Cyptowall is very sophisticated (Score:5, Informative)
Cyptowall is very sophisticated (Score:5, Insightful)
The best protection is to pull your backups not push. You have whatever is performing you backups connect into the machine, and then pull the backups, not having your machine being backed up connecting to the destination and pushing. That way, the machine can be compromised but it has no clue that it's even being backed up (since it's simply a share that's being used.) When you use a usb drive, you'll be safe, until someone plugs it into that machine not knowing that as soon as they do, it will begin encrypting what's accessible on that usb drive. I aways try to backup from outside of the context of what is being backed up. If it's a VM, I backup from the host, not from inside of the VM I need the data from. If it's a storage end point, I don't back up the files, I snapshot the volumes.
It isn't always possible to do it that way, but doing it that way has saved my backside more than a few times.
Re:Cyptowall is very sophisticated (Score:4, Interesting)
The best protection is to pull your backups not push. You have whatever is performing you backups connect into the machine, and then pull the backups, not having your machine being backed up connecting to the destination and pushing. That way, the machine can be compromised but it has no clue that it's even being backed up (since it's simply a share that's being used.)
Great and interesting, good to be aware of this possibiilty! But what if the machine that is pulling is infected? How do you know that is not happening?
Re:Cyptowall is very sophisticated (Score:5, Informative)
First, the machine pulling backups has completely different interaction with the 'world' than your average system-to-be-backed-up. I assume you're not reading e-mail, PDFs or surf the web on the system you use for data backup. Also, it should not execute any of the data it's backing up so the actual backup process should not be an attack vector for malicious software.
If you still want more security you could choose for the machine pulling backups to actually have a different hard and/or software platform than the machines it pulls the backups from. For example, you could have windows desktops and shared SMB partitions that contain the stuff to be backed up and a Linux NAS with Samba client doing the backups using a cronjob. Make sure that, if the NAS does have Samba server as well (for network shares) your backups are not available through them because, as we know of Cryptowall, it will also encrypt network data the infected system have write access to.
There is virtually no malicious software that can infect multiple distinctly different hard / software platforms in the same attack. Although in this particular instance (Cryptowall 2) it does make use of two processor architectures, x86 and AMD64 to do its things...
Re: (Score:3)
Most of the NAS drives out there have a Linux shell available. We rsync from there whenever possible, and the workstation or server does not have rights to the NAS box.
Nothing is perfect, and the ransomeware might figure out ways to skirt these protections. It really comes down to defense in depth against different threats-- multiple types of backups. The concern I have now is out of space challenges once encryption starts.
Re: (Score:3)
Exactly. I've been doing the same for more than the last decade, except using a second workstation as the backup device (as opposed to NAS).
If the backup machine is on the same LAN, I export the drive (or directories) to be backed up read-only, mount them on the backup read-only, and copy using rsync
If the machine is in a different location, I share a key pair and pull what I want backed up using rsync (over ssh) from the backup machine
This is fairly bulletproof, and in no way can anything running on the or
single purpose device, key (Score:5, Informative)
We use two strategies. First, the backup device is ONLY a backup device. It doesn't have a web browser and it's not used for email. We use very large servers to backup our customer data, but on a small scale you could use a Raspberry Pi, an old router with OpenWRT, or a smart NAS. Because the device handling backups has no desktop or services, it shouldn't get infected. Access is strictly limited - either console only or strong ssh keys, perhaps through a VPN first. The backup device can be so restricted because it doesn't need to be useable for anything but pulling backups.
Its access to the machines it backs up can also be extremely limited. The ssh key of the backup device is only allowed to run rsync with pull arguments. So even if the backup device were compromised, it can do no harm.
Re: (Score:2)
Re: (Score:2)
Yes, having a backup set that predates infection is the only solution as far as I can see, regardless of how you back up your data.
I have too much data (tens of thousands of photographs -- I do photography for a living) to "back up to a thumb drive". I back up to a regular Desktop hard drive, temporarily inserted into one of those USB "drive toasters". The drive is then marked with a sharpie and put away somewhere safe. Assuming I'm not infected at the time of backup, and I don't do something stupid like
Re: (Score:2)
That's the rub. The ideal is something like a NetBackup appliance that has deduplication on the backend, the capability for clientside and serverside encryption [1], and the ability for a backup process to go to the client and start snarfing data.
However, unless one has $58,000.00 for a small NetBackup appliance, the only thing that comes even close is Retrospect, which is $2100 for multiple servers, around $1000 for one server. For maximum security, a dedicated, locked down PC is needed so no bad stuff c
Re: (Score:2, Informative)
I wouldn't be surprised to see this actually be a niche market, similar to NAS appliances.
There is quite a lively backup appliance market. For example these [unitrends.com] can do pretty much everything you described.
[1]: Yes, this kills deduplication... but there are some machines which need to be secured in case the backup appliance gets hacked.
You are also completely right here, there is a constant battle between security and deduplication.
Full Disclosure: Posting AC because I am a developer at Unitrends.
Re: (Score:2)
Interesting appliance offerings. The 312 and the other desktop model appear quite useful for almost everyone, if the price is right. Just the fact that malware can't go in and "rm -rf /" the device adds significant protection.
The 312/313 look interesting. The $4000 price point isn't cheap, but trying to do something similar, like building a PC with Windows Server 2012 R2 and then finding an application to do the backups, may run into higher costs overall.
IMHO, be it a Unitrends appliance, a machine runni
Re:Cyptowall is very sophisticated (Score:5, Insightful)
Technically, Microsoft created one, then canned it, as usual.
Windows Home Server contained an EXCELLENT network backup utility - it did image-based backups (but can do file-based restores easily), deduplication, is not accessible via SMB shares, fast, cheap, and a whole lot more. The only downside was it was Windows-only - it could only do NTFS disks because it relies on Volume Shadow Services and on disk-tracking (it finds out what actually changed on disk between runs so it only needs to backup the changed content).
It was a great backup, restore and upgrade tool - the recovery program was a bootable CD, and the drivers it needs are stored with the backup so all you need is a USB thumbdrive, copy a specific folder off the machine's backup and use it with the boot CD so the boot CD can access hard drives and network.
And it was automated - every night every machine would get backed up.
But as is typical for Microsoft, they canned WHS and let the backup program in it die because well, it was too useful.
Re: (Score:3)
The "trouble" with windows backup, is that it has read/write access to the backup store. Which means if your computer is compromised by cryptowall, cryptowall has read / write access to the back up store... so crytowall can encrypt your backup archive files/ indexes... whatever else.
Secure backup from something like this, needs to be client/server. The computer must not be able to see the backup archive files directly.
If you save the backups on a network share; using separate credentials that only the backu
A pity hard write protect is no longer an option. (Score:2)
When you use a usb drive, you'll be safe, until someone plugs it into that machine not knowing that as soon as they do, it will begin encrypting what's accessible on that usb drive.
Disk drives - hard, floppy, etc. - used to have a hardware write protect feature. (Switch, punched-notch, etc.) Set it and there was no way the stored content could be changed. A backup that you'd set would not be vulnerable to rewrite attacks when plugged into an insufficiently-cleaned machine to restore the files.
Then drive
Re: (Score:2)
Chuck Norris backs up his computer to single-write BD-Rs. Then he roundkicks your face.
I also do that, but not the face-kick part.
Re: (Score:2)
The best protection is to pull your backups not push.
Or, it's a bit more expensive, but back up to a NAS/Server, and then back that up to something else. Like I back up to a NAS, which then performs backup to an external hard drive. Sure, a smart virus might figure out how to encrypt my NAS, but I can just restore that from backup. My computer doesn't have direct access to the NAS backups, so it can't encrypt them.
Re:Cyptowall is very sophisticated (Score:5, Interesting)
Cyptowall is very sophisticated. It will go into online backups and encrypt them too. If you are using a common online backup it can find those and encrypt those too. The best protection against this is a usb backup in a drawer.
Cyptowall was recently being distributed by yahoo ads via a compromised flash ad http://news.yahoo.com/yahoo-ad... [yahoo.com]. You could have received it by going to your favorite news site.
I use Crashplan. Couldn't they use a canary of some kind? In my online account I define a file that is just plain text or a key. I upload the text content of that file to my account while the local backup software doesn't know about this. I point to where this file is located in my backup, and it should be identical. Whenever this file is encrypted (or changed), I get an alert via mail. Then I know something is messing with my backup or with my local files.
Re:Cyptowall is very sophisticated (Score:5, Informative)
That article makes no mention of a compromised flash ad. It actually doesn't mention any type of compromise or flash. Yahoo ads served up an ad that took people to a server that could lead to a compromise. Just visiting a page that had that Yahoo ad didn't compromise your machine.
Comment removed (Score:4)
Re: (Score:2)
It's these 3rd party ad server farms that get hacked and start serving out this shit. Doesn't matter if it's Yahoo, CNN, Drudge, MSNBC, Fox News...etc. If they have a contact with one of these ad agencies (and they all do), all it takes is for one of the infected servers to rotate into view for the end user. Really nasty stuff.
This. So much this. And there are ad networks that will host anything given the right amount of money and lack of care. I sure as hell don't allow ad networks to display their cr
Re:Cyptowall is very sophisticated (Score:5, Informative)
Cyptowall was recently being distributed by yahoo ads via a compromised flash ad
That's why my hosts file [mvps.org] includes these entries (among many others):
127.0.0.1 count.3721.yahoo.com
127.0.0.1 yahooads.valuead.com
127.0.0.1 yahoo.nuggad.net
127.0.0.1 agyahooag.112.2o7.net
127.0.0.1 yahoo.ivwbox.de
127.0.0.1 adserver.yahoo.com
127.0.0.1 ae.adserver.yahoo.com
127.0.0.1 au.adserver.yahoo.com
127.0.0.1 cn2.adserver.yahoo.com
127.0.0.1 hk.adserver.yahoo.com
127.0.0.1 in.adserver.yahoo.com
127.0.0.1 us.adserver.yahoo.com
127.0.0.1 pn1.adserver.yahoo.com
127.0.0.1 pn2.adserver.yahoo.com
127.0.0.1 tw2.adserver.yahoo.com
127.0.0.1 a.analytics.yahoo.com
127.0.0.1 y.analytics.yahoo.com
127.0.0.1 srv1.wa.marketingsolutions.yahoo.com
127.0.0.1 srv2.wa.marketingsolutions.yahoo.com
127.0.0.1 srv3.wa.marketingsolutions.yahoo.com
127.0.0.1 advision.webevents.yahoo.com
127.0.0.1 ts.richmedia.yahoo.com
127.0.0.1 adjax.flickr.yahoo.com
127.0.0.1 nz.adserver.yahoo.com
127.0.0.1 sg.adserver.yahoo.com
127.0.0.1 br.adserver.yahoo.com
127.0.0.1 cmk.tw.yahoo.overture.com
127.0.0.1 cn.adserver.yahoo.com
127.0.0.1 tw.adserver.yahoo.com
127.0.0.1 be.adserver.yahoo.com
127.0.0.1 dk.adserver.yahoo.com
127.0.0.1 eu-pn4.adserver.yahoo.com
127.0.0.1 fr.adserver.yahoo.com
127.0.0.1 nl.adserver.yahoo.com
127.0.0.1 se.adserver.yahoo.com
127.0.0.1 uk.adserver.yahoo.com
127.0.0.1 de.adserver.yahoo.com
127.0.0.1 es.adserver.yahoo.com
127.0.0.1 gr.adserver.yahoo.com
127.0.0.1 it.adserver.yahoo.com
127.0.0.1 no.adserver.yahoo.com
127.0.0.1 s.analytics.yahoo.com
127.0.0.1 visit.webhosting.yahoo.com #[WebBug]
127.0.0.1 geo.yahoo.com
127.0.0.1 cm.tw.overture.com #[cm.tw.g.ysm.yahoo.com]
127.0.0.1 cm.west.yahoo.overture.com
127.0.0.1 cmh.tw.yahoo.overture.com
127.0.0.1 cmx.tw.yahoo.overture.com
127.0.0.1 ad.antventure.com #[any-world.ngd.ysm.yahoodns.net]
127.0.0.1 ar.adserver.yahoo.com
127.0.0.1 ca.adserver.yahoo.com
127.0.0.1 cookex.amp.yahoo.com
127.0.0.1 launch.adserver.yahoo.com
127.0.0.1 mx.adserver.yahoo.com
127.0.0.1 o.analytics.yahoo.com
127.0.0.1 z.analytics.yahoo.com
DNS Server, not hosts (Score:2)
Hosts is of dubious efficacy compared to an actual DNS server.
Advantages:
APK is delusional and fundamentally doesn't understand DNS. Don't be APK.
Hosts by default is cached in memory
Re: (Score:2)
Thank you - I see they've made that change with the latest revision.
Corrupted backups can be rescued (Score:1)
Assuming a Windows shop with a Windows server holding the online backups, the worst that any client-side app can do is corrupt the current version of the networked backup. It can't delete the shadow copies. Oh, I suppose it could try to fill up the disk so the earlier non-corrupted shadow copies get purged, but it can't outright delete them unless it infects the server first (or otherwise gets admin access to the server).
It also can't touch existing tape or other offline sever backups from an infected des
Re: (Score:2)
Re: (Score:2)
it deletes LOCAL VSS copies. He is talking about server based VSS, which if you have turned on would indeed give you a good recovery option.
Re: (Score:2)
Buy a Mac. (Score:2)
Done.
Re: (Score:2)
Indeed. A good backup is independent, and that decidedly includes "offline".
Re: (Score:2)
Drawer? Connect = can infect.
Malware (Score:5, Interesting)
Most malware is surprisingly benign. I've been saying it for years.
If you wanted to get really nasty, you can do these kinds of tricks and the thing will be damn-near scary to contract.
The problem is that we've bred a generation of people who see malware as nothing more than a distraction. Who will go to "uninstall" to remove it, thinking that's to be trusted, who don't realise that something running in the background is a problem once you close the advert it pops up.
At some point, something like this is going to be combined with a handful of never-seen-before exploits and it'll go across the globe and take weeks before there are effective patches to get rid of it. But the scary part is that the first few seconds of infection are all that's needed to totally control your ability to use your computer and access your data.
Maybe then we'll get proper application whitelisting / sandboxing by default in a desktop OS. And, hell, why do applications get the run of every file I use under my account? Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why? Why is the data store not immutable and applications only get a link to the data IF they are allowed access to it? And thus nothing ever actually runs "as" the user, but only as its own separate user with similar permissions and only the files necessary.
Malware could be a lot worse than even this. Why it isn't yet, I haven't figured out - I presume because money-making is at the heart of it now rather than actually malintent with your data. But that won't last forever.
I'm sorry, but the very concept of a virus scan happening "at scheduled intervals" or after you've already double-clicked on the file just tells you that it's too late before you start. We've got away with it for decades in desktop OS, but it can't continue forever.
Getting a virus on my networks scares the crap out of me. People think I overreact when I just remote-off the machine (or tell them to pull the plug) and just re-image for even the most basic of adware. Fact is, I didn't install it and I have no idea what it ACTUALLY does. And I'll be damned if it's going to get the chance to go on my shared areas and do anything, even with file history, backups, etc. available.
Comment removed (Score:4, Interesting)
Re: (Score:3)
For a start, an app like Facebook should only have read-only access to your photos. That still provides the opportunity to steal your naked pics and upload them all over the web, but not to delete them.
Of course, if the malware is already using exploits to install, it may also be able to use exploits to escape any such protection.
But this is now a huge problem, which needs to be fixed. The days when you could trust even supposedly legitimate software not to do bad shit with your shit are over. No software s
Re: (Score:2)
Re: (Score:2)
What if I want to save photos posted by a friend to my device?
Then you can click a box saying 'yes, I really want to let this app save this file to this location'. Does the Facebook app even let you save other people's pictures?
Alternatively, you can have a 'downloads' directory for the Facebook app, and map it into a 'photos' virtual directory so every app with access to the photos can see those downloaded from Facebook, but Facebook can't overwrite photos from any other app.
Yes, people might have to learn not to save random files in random places, or put them all on
Re: (Score:2)
Re: (Score:2)
So you're going to use an annoying UAC-like pop-up that will rapidly be ignored by 99.9% of the population because it appears so often as to be nearly useless?
UAC is useless, because all it tells you is 'Do you want to allow Hello Kitty screensaver to: write to hard disk'. That's it. May be perfectly legitimate, may not. You have absolutely no way of telling what it's actually doing, so clicking 'no' is pointless.
Whereas if the Facebook app starts asking to write to protected parts of the disk when you're not saving anything, you know something is wrong.
Re:Malware (Score:5, Funny)
people might have to learn
Oh. I see your problem right there.
Re: (Score:2)
What about a photos directory in the FB app structure? If someone wants to upload a photo of their cat, just dragging and dropping it into that, then firing up FB to upload that isn't that much of a hindrance... and it will boost security by a large amount. Same with dropping a file into a subdirectory of a mail program, so the MUA doesn't have the ability to send attachments of every document present.
Yes, it is one extra step, but it would help a lot with security.
Re: (Score:2)
For the same amount of hassle you could instruct them in the necessary steps to avoid getting infected in the first place.
So, telling them 'no, you can't install Flash to view that Christmas card Auntie Mary sent you' is going to be easy, but telling them not to click yes when 'Foobook app wants to write to /etc/hosts' isn't?
Re: (Score:2)
On later versions of Mac OS X with entitlements, when you get a "Save File" dialogue, the window itself is running in a separate process from the app that called it and communicates with the client over IPC, so the client never actually is able to see the filesystem. When the user picks a save location, the window process hands an NSURL object back to the client, but this NSURL doesn't actually contain a valid
url, it contains a persi
Re: (Score:2)
don't allow your users to be admins on their local machines,
Ding ding ding ding ding... whenever anyone came to me for malware-related help with Windows, I make sure that they no longer have admin privileges before I let them back in. Create a separated local admin account for them if necessary, but their everyday web-surfing and mail-reading account should not need admin privileges.
Re: (Score:2)
Maybe then we'll get proper application whitelisting / sandboxing by default in a desktop OS. And, hell, why do applications get the run of every file I use under my account? Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why?
The answer is functionality. Let's consider the example of Android, an OS with a fairly recent security model, built on top of Linux which provides for chroot. Why not put apps into their own chroot jail by default? Seems like a good idea, right? How do you explain to Grandma why she can't upload photos from her camera's image gallery to Facebook? Oh, you'll solve that problem by putting the photos in a public directory? Okay, that eliminates the functionality concern, but now you're right back where you started with exposure to ransomware....
Not necessarily. This can be solved by having a standard privileged file open/save dialog that grants the access automatically to apps based on user input. Of course that limits the UI designs in some ways.. I wrote some ideas 11 years ago how something like this could be done. [iki.fi] Partially obsolete nowadays though but still could be doable (except for the web browser parts - web security seems to be a lost cause already). Perhaps once these kind of worse malwares start happening people would finally implement
Re:Malware preventative measure (Score:3)
In reading TFA, a prevention may be to add the Tor list into your hosts file so it cant download a Tor client to continue. Add the list into your router blacklist can be out of reach of the malware to bypass the block.
In the arms race this is effective on the current version. An update may have a new list of Tor download locations.
Not sure if blocking TOR at the router is possible or effective.
Re: (Score:2, Interesting)
In reading TFA, having an executable called VBoxService.exe or vmtoolsd.exe seems like a sure fire way to have it skip right over you, as it thinks you're running inside a VM.
Re:Malware (Score:5, Interesting)
Malware could be a lot worse than even this. Why it isn't yet, I haven't figured out - I presume because money-making is at the heart of it now rather than actually malintent with your data. But that won't last forever.
I suspect it's because the powerful people in the world largely care little about computers, virsuses, downtime, etc. To them it's all just mysterious technical mumbo jumbo that is of little interest to them. Extortion is a little more clear though. Someone is trying to fuck them, and that tends to get people riled up. Riling up folks like us is one thing, but statistically speaking sooner or later malware like this will inadvertantly fuck someone who's capable of things like armed abduction, torture, and death. You have to have a lot of faith in the anononimity of bit torrent that you won't be found by one of these kinds of people.
Re: (Score:2)
bit torrent
And it's too early in the morning before my coffee. s/bit torrent/bitcoin
Re: (Score:2)
And, hell, why do applications get the run of every file I use under my account? Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why?
Because anything else would require popping up numerous "would you like to allow this application to do $foo" boxes, and then you end up training the user to just hit "yes" on everything because it's too damned annoying to make a decision every time when the vast vast majority of access requests really are legitimate.
Sandboxing based on applications making their own decisions and being relatively trustworthy might not be a bad plan though - i.e. if your web browser has an immutable list of files it needs ac
Re: (Score:2)
I don't see why you can't do more refined access than just granting everything to every program. Especially with the massive amounts of storage space and memory tha computers have today. Sandbox every application allowing it to only have full control over it's own little sandbox. If a program needs to look at stuff in other file structures then give it read access, not full control, to those directories. You want it to be able to write to files in those other directories, fine, it reads in a file it isn't a
Re: (Score:2)
If a program needs to look at stuff in other file structures then give it read access
Great! $malware got read access to your bank details.
You want it to be able to write to files in those other directories, fine, it reads in a file it isn't allowed to overwrite or change, and then saves it's own copy that it can molest in whatever way it wants.
So now instead of having a single copy of the file, you have a separate copy saved by each application that has been used to process it - creating a mountain of almost-identical files that the user has to keep track of is not a user friendly way of doing things.
Better is to have a versioned filesystem - each time a file is changed (by any application!) the delta is saved and the filesystem keeps the old data hidden away. Most of the time everything behav
Re: (Score:2)
Better is to have a versioned filesystem - each time a file is changed (by any application!) the delta is saved and the filesystem keeps the old data hidden away.
It's fortunate that disks are infinitely large, so the malware can't just overwrite the files multiple times until the filesystem deletes the plaintext versions.
Re: (Score:3)
Security issues are generally rare occurrences, while functionality one uses daily are immediately visible and annoying. Even within unix systems we see a constant push/pull between security and
Re: (Score:3)
Because then somebody has to tell the computer which applications are allowed to access which data, and normal users can't be bothered.
You know that we have such functionality now, right? All you have to do is use something like SELinux and set up the ACLs. But I doubt that even most people as security-conscious as you have actually spent the effort to use it.
Re: (Score:2)
The biggest problem we have is that businesses have moved to SAN and cloud backups. Yes, that VNX replicating asynchronously with constant snapshots is a great way to handle "natural" dangers... but it doesn't take much to drop and zero out all LUNs presented to all machines, and the replication client will just propagate the changes. Same with a tier 2 NAS like a NetApp box or an Isilon. Even with cloud backups, it doesn't take much time to drop a vault or a container.
There just isn't any thought put in
Re: (Score:2)
Re: (Score:2)
I am interested in this because I just recently opted out of LTO tape backup for external USB hard drives. For 19 years, I have changed out the tapes/drives myself and took them home with me every day excluding holidays and stuff.
When the fire alarm goes off, I grab the backups and run. When we evac for hurricanes, I grab the backups and run.
Obviously, this scheme doesn't protect the Firm directly from something like CryptoWall 2.0, but I switched to external USB drives for one main reason:
Should the buildi
Re: (Score:2)
The days of tapes not being in sync (as in the Travan era) is long since gone. LTO tapes are quite stable, even moreso than DLT, and a lot better than 8mm or 4mm when it comes to hard errors. Tape got a bad name back in the 1990s when 8mm drives were common and had a fairly high failure rate, mainly because it was designed as a video format, not for data.
Both external USB hard drives and tape have advantages and disadvantages. With tape, I can set the cartridge read only, and if there is malware on the m
Re: (Score:2)
Should they not have to request such things first? Even on Unix-likes, if you get on as my user, you can trash all my data - why? Why is the data store not immutable and applications only get a link to the data IF they are allowed access to it?
i.e. SELinux
Avoid x86 hardware. (Score:1)
I shall stay on my quad G5 under Linux or the time being. The market is too small for them to try to attack my machine.
Why didn't people realize that a single monoculture of CPU architecture (x86 in this case) would simplify the job of these guys. I've been clamoring against x86 monoculure ever since Apple became just another resale channel for Wintel clone hardware.
Monoculture is bad, it has always been bad and will always be.
Re: (Score:2)
CPU monoculures did make attacks easier, and it is a shame alternatives are getting further and further out of the reach of the average (in terms of pocketbook) users. On the other hand, increasingly attacks do not depend on the underlying hardware and instead the layers on top of it, which depends on having a whole different stack all the way up and down in order to stop them.
In the end tho
So how are these spread? (Score:4, Insightful)
How is this crap spread?
Can I laugh at the people who have Flash enabled and let arbitrary sites run javascript? Or does this spread through some other vectors I don't know about?
I suspect the problem is the idiots who write websites, who demand your browser run in the most insecure possible configuration so you can see their ads and other shit they've hidden behind code which needs to run on your browser.
And I've always said I'm not willing to run my browser wide open just to make web sites work, because these things have been security holes for years.
Browsers need to be a whole lot less trusting, and not default to just running any old thing which comes along. And certainly stop trusting scripts from 3rd parties and running whatever crap pile of Flash comes along.
Unfortunately, users are used to seeing pages which give you detailed directions for re-enabling javascript and cookies.
So to all you web developers out there who have ever written that page ... fuck you, you slimy bastard. It's partly your fault the internet is a shit hole.
Re: (Score:2)
Although developers encourage this kind of thing by using flash and requiring javascript to display content, there is plenty of blame for users too. Heaven forbid a page might refresh! Users are demanding that websites look and feel like native applications, and the way to do that is to run things client side, like a native application does. Users want shiny shiny, regardless of the problems it causes.
Re: (Score:2)
In a case I was recently troubleshooting, the vector was an advertisement popup that asked the user to click to download and install an Adobe Flash Player update.
The user downloads it and runs it. Then it runs quietly in the background with the same privileges as the current user.
I feel the need to reiterate here that Cryptowall does NOT require privilege escalation. If you happen to be a local administrator it will ask for it so it is able to delete shadow copies and Restore Points, but it does not need
How to prevent it from ruining my backups (Score:3)
My backups are done on a USB harddisk that's connected to the media server on my home network. Switch the HD on, and it'll appear and backups can be made.
How can I prevent malware from changing my backups? Would it be possible/effective to mount the drive as write-only, making it impossible to change existing files?
Re: (Score:1)
Would it be possible/effective to mount the drive as write-only, making it impossible to change existing files?
Given the type of backup you are perform (a "push"), there is nothing you can do to prevent an active infection from destroying your backups while the HD is mounted. In theory, a backup to a blind drop may provide some protection, but there is no backup solution that I am aware of that will work without read access to at least its own metadata. Perhaps a developer opportunity?
Re: (Score:2, Redundant)
In a Linux or Mac environment this would be simple to set up with common tools, You could write a sample BASH script that runs daily on
Re: (Score:2)
I believe that they leave executable files alone, so maybe it's as simple as adding ".exe" to all your backup files? And removing any double ".exe" strings when retrieving?
Versioning (Score:5, Interesting)
Re:Versioning (Score:4, Insightful)
This works until you realize the ransomware could go into your Crashplan settings and turn off versioning and keeping deleted files.
Re: (Score:2)
Unless it requires two-factor confirmation to change settings, like a verification code sent by text message.
Re: Versioning (Score:3)
I can confirm it does not.
Re: Versioning (Score:2)
How are they going to authenticate to modify my cloud backup services, without my passwords?
I mean, in theory, once Cryptowall hits my machine, they could send 100 ninjas to destroy all of my DLTs...
Re: Versioning (Score:4, Insightful)
In theory, it could stop the Crashplan service, manually edit your backup set settings to have no versioning, and no deleted file keeping, restart the Crashplan service, and let it run through and prune all the files it thinks it should be pruning, then encrypt your files, let it back them up, and Crashplan dutifully prunes the old versions like the hijacked config file says to.
Re: (Score:2)
This.
I change take the backup media every day and take it home with me. At one site, I have thirty (3) external USB drives.
At another, I can only keep two weeks of daily backup to take offsite. It's a law firm and I have schooled them that we are not bound by law to retain lots of stuff, but we are bound by law to give up anything we have.
Re: (Score:2)
Eventually the ransomware people will get patient and encrypt your files but allow access for 3-6 months before telling you.
That isn't quite how this ransomware works. It isn't encrypting and decrypting your files on the fly, it encrypts your files so you can't use them. What you're suggesting is much more complex and opens up many more opportunities for defeating the malware--for instance, the decryption key would have to be stored on the infected machine.
"True" virtualization (Score:1)
There is a place in research labs for "true" virtualization/emulation, where a particular hardware environment is virtualized/emulated right down to the timing characteristics of the hardware it's pretending to be.
Obviously you can't do this with stock hardware - you'll probably have to use supercomputer-type hardware and do large chunks of it in an emulator but in principle and maybe in practice we should able to emulate at least a few mid-2000s motherboard/CPU/typical-other-hardware setups well enough to
Pull vs Push backup solution? (Score:2)
I suspect most backup software on the computer pushes the backups to a network share somewhere that I suspect these ransomware packages go looking for and encrypt those files as well.
What if the backup system was remote and pulled the data from a network share on the client. If the client is infected, the infection cannot get to the backup file locations because they are not shared.
I realize this is not trivial for average users to setup, but I'm exploring this option for my home network. Setup NAS type ser
Windows only? (Score:1)
Re: (Score:2)
Right now, Windows... but I wouldn't be surprised to see it on OS X and UNIX operating systems since it would be quite easy to write. It would be simple to write a shell script that fetched a public key from key servers, did a find command, passed the output to PGP or gpg to encrypt files, then wipe the old .doc files.
At least with UNIX, there are programs like amanda and bacula which can be used in client/server mode so that malware on a client can't touch the backup server and its data.
Re: (Score:2)
SGID is one way, but there are other ways to separate programs. Docker and containers comes to mind. Of course, there will need to be a mechanism that allows a user to move/copy/link a file between the *Office and MUA containers, but that can be easily dealt with.
If it won't run in a Virtual Machine... (Score:2)
I wonder about their key generation. 1% of RSA dec (Score:2)
Around 1% of RSA keys are easily broken, meaning you could decrypt your data without paying the ransom. This is because about 1% of keys are weak in one way or another. I wonder about the key generation function this malware uses. If they are using one of the weaker algorithms to generate keys, many victims may be able to decrypt fairly easily.
Re: (Score:2)
Around 1% of RSA keys are easily broken, meaning you could decrypt your data without paying the ransom. This is because about 1% of keys are weak in one way or another. I wonder about the key generation function this malware uses. If they are using one of the weaker algorithms to generate keys, many victims may be able to decrypt fairly easily.
Please check with the NSA about this strategy.
So how quick is it? (Score:2)
Does anyone know if it aims to encrypt all your files quickly or over a time period to increase the chance of poisoning backups?
If the former, one mitigation might be to check file types on the backup? Assuming you do a backup to a different architecture, such as Linux, check file types - is a jpeg really a jpeg? Can it read plain text files? As soon as it finds one it can't, flag it up for investigation. Perhaps have a number of canary files, pull those first each time and compare them to known good copies
Re: (Score:2)
Malware gets changed over time but here's a video from Sophos named "Watch CryptoLocker in action":
https://www.youtube.com/watch?v=Gz2kmmsMpMI [youtube.com]
Looks like it just encrypts whatever it can right away, not a little today, a little more tomorrow.
Y'all seen this? (Score:2)
Please provide your email address [1] and an encrypted file [2] that has been encrypted by CryptoLocker. This portal will then email you a master decryption key along with a download link to our recovery program that can be used together with the master decryption key to repair all encrypted files on your system. [decryptcryptolocker.com]
Found it at this site. [yahoo.com]
Reputable security firms Fox-IT and FireEye collaborated on the free DecryptoLocker project, which provides a simple way for CryptoWall victims to recover their files and their privacy.
Disclaimer: I read this stuff but I know nothing more than that.
Cryptoprevent (Score:2)
The article says that the malware works by creating temporary .exe files in the folder specified by the %appdata% environment variable. Eg "C:\Documents and Settings\[username]\Application Data". As does numerous other malware.
FoolishIT's "Cryptoprevent" utility uses Windows' "Software Restriction Policies" to try and stop .exe files from running in the %appdata% location. It is a good idea so for what it's worth, here's the URL: https://www.foolishit.com/vb6-... [foolishit.com]
Fake the VM (Score:2, Interesting)
Re: (Score:2)
Virtual Box is still a form of defense because you've hopefully got snapshots of the system state and in the event that the malware does execute, you can just restore your snapshot. That is so long as you are using a virtual machine and it is the VM that ends up infected with the malware.
Re: (Score:3)
In other words:
copy notepad.exe VBoxService.exe
Add VBoxService.exe to your autostart folder.
1 minute fix to mitigate the risk a bit.
Re: (Score:3)
I was thinking along those lines. If it protects itself by refusing to run in certain environments, maybe we could protect ourselves by giving it the idea that it does.
Re: (Score:2)
That has been discussed in the comments of the original article. Apparently that idea won't work.
Re: (Score:2)
It is a pity tape has become so expensive since that was a great way to handle offline backups in a very user friendly way.
Re: (Score:2)
Re:One more reason to get away from Windows (Score:5, Informative)
Crypto$shit isn't something that can only run on Windows. The main reason why Windows is being attacked is the same why the most software is made for it: Its market share. If Linux had a market share of 90% (or however ludicrously high the share of that system still is), Linux would be the target. For exactly the same reason: It's where the money is. Why bother trying to infect 5% of the computers when you can go and try to infect 90% thereof?
Next, they abuse the flaw in a third party product, something MS cannot even mitigate if they wanted. If you want to be mad at someone, be mad at Adobe, they're the one that produced that abominable turdfest called Flash. You think Flash is any more secure on Linux than it is on Windows? Think again. Why would Adobe put more brainpower behind the security of their A-league product on a minor platform than they do for the main platform?
Better security in Linux, you say? Tighter control of permissions? Bzzzzt, nope, doesn't apply. What makes Crypto$shit so dangerous is exactly that it does not need any kind of elevated permissions. It does not want to touch any "system" areas, all it does is execute in the user context and encrypt files in the user's directory. That is something you can do on Linux with the permissions of the current user just as well as you can do it in Windows.
And yes, I'm aware of the various "hardening" strategies that you can employ to make such an attack harder on Linux. ALL of them work as well on Windows. Ok, maybe not in every version of Windows because MS in their never ending wisdom thought security is for Enterprises only, hence the key security features are not available in their Home editions... but even for the "Homes" there is a way to do it. Very inconvenient and quite tricky to pull off, just like most would be in a Linux environment. Yes, it's possible. No, it ain't something Joe Randomsurfer would or even could do.
So no. This time the "Windows sux" club does not strike. I wish for the best and I hope for less market share for that Moloch too, but this time they are not the ones to blame. If anyone is, try Adobe and them STILL NOT getting a grip on Flash security.
It ain't like this is the first time that turd has been the attack vector, ya know...
Re: (Score:1)
Well, after reading the article again, indeed that could work on Linux. I thought there were windows vulnerabilities in the mix, but it turns out I read that wrong.
That said, I think that malware/adware is a major attack vector. And Linux/Android/iOS do not fear adware because applications are reviewed and controlled. Of course, you can always have a vulnerability in the Linux packages / Android Apps, but it makes things much harder and especially for the average guy's PC.
But true, for that special case
Re: (Score:2)
You may rest assured that Adobe does indeed review its software before releasing it, just that security takes a back seat to feature creep and "ohh shiny". That's just as true for Android and iOS soft. Or do you think Google or Apple does a through security audit for every kind of software in their store?
Re: (Score:2)
Better security in Linux, you say? Tighter control of permissions? Bzzzzt, nope, doesn't apply. What makes Crypto$shit so dangerous is exactly that it does not need any kind of elevated permissions. It does not want to touch any "system" areas, all it does is execute in the user context and encrypt files in the user's directory. That is something you can do on Linux with the permissions of the current user just as well as you can do it in Windows.
Btrfs snapshots would have defended against this sort of attack effectively - they provide incremental backups that can only be deleted by root. It's trivially easy to setup a cron job to perform a daily snapshot of /home - I did so a while back and just found I'd accumulated a years' worth of snapshots. Admittedly, this isn't something the average user would have set up, but given that there are already distros which automatically snapshot the root fs before installing updates, it's not a huge stretch to s
Re: (Score:2)
Another lesson is to use virtual machines when possible. An infected VM is a lot less of a hassle to deal with than an infected physical box, especially if snapshots are used [1].
For personal use, I wonder about moving to a NAS and two ESXi nodes. Browsing using RDP is just as fast as a local Web browser, and if configured right, none of the stuff in the VMs would have access to the NAS itself, which helps isolate damage to just that VM itself. As for "real" backups, plugging an external drive to the NAS