Angler Exploit Kit Evasion Techniques Keep Cryptowall Thriving 36
msm1267 writes: Since the Angler Exploit Kit began pushing the latest version of Cryptowall ransomware, the kit has gone to great lengths to evade detection from IDS and other security technologies. The latest tactic is an almost-daily change to URL patterns used by the kit in HTTP GET requests for the Angler landing page, requests for a Flash exploit, and requests for the Cryptowall 3.0 payload. Traffic patterns as of yesterday are almost unrecognizable compared to those of as recent as three weeks ago.
Re: (Score:1)
Not everyone who doesn't test their backups on a non-Internet-connected machine is an idiot.
Yes, yes they are.
Or their data isn't worth anything even to them.
Re:BECAUSE IDIOTS PAY IT! (Score:5, Informative)
Unfortunately, as it stands right now, even with rapid growth, ransomware is approaching its infancy. I'm not going to be surprised when the next CryptoWall releases go after Active Directory and enterprise-level resources, as opposed to local items and the network share or two.
Three reasons why this is:
1: There are no SOHO backup systems to defend against it. If you can get the user to not restore in 30 days with most cloud backups, their data is gone... and some cloud backups may just only keep the latest (useless) version. Plugging in a USB flash drive, backup drive, using a NAS, or using a Time Capsule works against disasters like HDD failure or accidental microwaving of a laptop... but all ransomware has to do is zero out the backup drive... or just punch random holes in stored files so they are worthless. A lot of newer machines don't have optical drives, much less decent backup software to get the user to back up to them.
If you want a real defense against ransomware, it takes an external backup server which pulls data, stores it where the client machine cannot access or destroy it, and can store images for weeks to possibly years (because as ransomware evolved [1], it will be running longer before it gets detected.) However, not many home users will buy a PC with some drives, slap Windows Server 2012 R2 Essentials on it (which replaces Windows Home Server), and use that to pull backups from their desktops. There are appliances that do this... if you want to pay $50,000 to Symantec for a NetBackup appliance, and have the rack space for it.
What is really needed is a standard, cross platform backup client that not just allows for files, but snapshots (so open files can be copied) and entire machines, so bare metal restores are easy to accomplish, be it a restore to a local drive, or via the network. For authentication, something similar to SSH. This way, a user can buy an appliance, log onto the console, set up backups (perhaps RSA key exchanges), set up schedules, and call it done. More features (encryption, deduplication) can be added... but the main thing is getting backups going in the first place.
2: The infection vectors are still there. For example, a malware writer might write code to take advantage of a compromise/buggy browser add-on, it goes through an ad server, and winds up nailing people visiting even mainstream sites.
Even ten years later, the Web browser is still the primary infection vector. Even with virtual machine and container technology, if an add-on gets nailed, there is a good chance it can seize the entire browser, and thus a user context. Even with just the context of a browser add-on, it likely can read and write to any documents the user has access to. Add a few more exploits, it can run unfettered as a user, or even get admin/root rights so it can reflash the firmware on drives, video cards, keyboards, and other items.
This can be limited by running the browser in a VM or sandbox, but most users won't be doing this, so it is only a matter of time before the next add-on has 0-days, and just visiting a site results in compromise.
3: Not as bad as drive-by compromises, but Trojans are still an issue. On Linux, BSD, and OS X, this is less of an item, since users are conditioned to use a repository. Windows still is wild and wooly when it comes to this, and even if one does visit the right download site, it might be a mirror decided to pack some additional "functionality" into the installer, and re-sign that with their own Authenticode key, so it passes the signature check test.
The possible fix? MS having a store that allows for more than just Metro applications to be installed and updated, preferably with active, brutal curation. That way, if a user wants a copy of WinZip, they just fetch it from the store, rather than risk a compromised website, mirror, CDN, or app installer.
Ransomware is going to be with us a long time, just because it does well at going after the low hanging fruit, and with what is available (domain admin rights, for example), just encrypting files is just the initial salvo in this battle.
[1]: It pretty much a fact that malware, as a whole, is the absolutely best code when it terms of quality, robustness, and updates.
Re: (Score:2)
I'm reading this as basically creating a tar file of the machine and documents, throwing it to a remote machine's incoming directory, and that incoming machine moving the file to somewhere inaccessible to the client?
This is a way to do it, but might be better to just have the NAS or other appliance initiate the pull so the data can be better stored in snapshots.
Re: (Score:2)
Re: (Score:2)
Which leads me to the cost of such a system. In my case, I have two decommissioned laptops (even a Raspberry Pi 2 would do the job) bought for $50 in two separate locations from my h
Re: (Score:2)
This is something I've never understood. External hard drives should have a read-only toggle switch.
Re: (Score:2)
This does exist, and is the UDF filesystem. This allows writing in packets and sessions, without affecting existing data on media. However, having a hard drive controller enforce this (to prevent a blkdiscard /dev/sda or a dd if=/dev/zero of=/dev/sda) would take some engineering.
Next to an appliance, the real answer to this might be good old fashioned tape. The newer LTO drives can use WORM media, can be hardware set read-only, and encryption can be set on the drive itself. However, tape has wound up be
Re: (Score:2)
I read people saying the exact same thing about Macs, with statements that OS X is "100% secure". After recent events, I don't read much about that (although with the fact that most Mac programs are downloaded from a secure repo does help put the kibosh on Trojans.)
Linux isn't bulletproof. There are new programs that wind up even in enterprise distros that can wind up being avenues for remote attack. Plus, Firefox under Linux will behave the same if compromised just as Firefox under Windows does. I do a
Not a Federal priority (Score:5, Interesting)
As many people have pointed out, it's straightforward to set up a honeypot that triggers the exploit, pay the ransom, and then follow the money.
Many people are affected by ransomware. If the US made fixing this problem a priority, many *people* would be relieved of anguish and suffering.
Instead, the feds look into crimes against corporations. How's that investigation into fiber cutting in San Francisco coming along?
Or crimes against authority. What was the cost versus benefit of the Silk Road investigation?
If the US made *people* a priority, it would get done.
(And for the record, Bitcoin is not anonymous and we have agreements with other countries for criminal activity. )
Re: (Score:2)
What's a tumbler? A tumble dryer? (I'll admit I often lose coins there.)
Re: (Score:3)
Now that's the rub. All it takes is for the trail to hit a country that is overtly hostile to the US, or just not willing to cooperate, and the trail goes cold. For example, if the perp who made malware tools was situated in Yemen, Brazil, or Venezuela, the local government would be giving the person accolades for doing such a thing.
As for Bitcoins, they are definitely traceable. However, efforts like tumblers and CoinJoin may be new and holes found, but they are getting better, and if combined with an e
Antivirus is useless. (Score:2, Interesting)
https://www.virustotal.com/en/file/2dfd43d6776b5712e5fd9d82d3a6b5d0097d2b9371915539ed0b88f4097224a8/analysis/
This sample came in nearly a day ago. When I first saw it hours after, only 5 detected it. As of this posting it's roughly at 28/56. The other half that don't detect it is the lower end of the AV spectrum, along with MSE.
It took about 6 hours after the sample came for the heavy dogs: NOD32, Kaspersky, BitDefender and etc to detect it.
Re: (Score:3)
Our saving grace, perhaps? (Score:3)
This may be our saving grace, something as simple as doing one's work in VMs, using the bare metal OS pretty much as a hypervisor and method to back up the VM images. With SSDs, this makes the job easier (because booting an OS isn't that I/O intensive, but you have multiple instances fighting for the drive head on conventional HDDs, which causes I/O slowdowns across the board.)
VMs are one of the few tools that can fight ransomware effectively. If the software doesn't play and deletes itself, no major loss
Re: (Score:2)
Re: (Score:1)
Sounds more useful than just shits and giggles. If a lot of modern viruses refuse to run in VMs then turn your primary machine into a VM and then you're safe!
Re: (Score:2)
For now that is. Right now, malware writers are going for low hanging fruit, who don't even know what a VM was, or if they ran one on their desktop, would complain about performance (not knowing the VM disk images belong on a SSD, or at least their own spindles to not contend with the host desktop OS [1].
Once VMs gain traction (say someone combines dedupe with COW and applications wind up with their instance of an OS with just the footprint of the application so VMs become as common as applications with th
Re: (Score:2)
There has been a few cases where I've ended up doing a V2P migration (which is extremely rare, but usually for something that, by policy, has to be on its own hardware, or that I create the VM and get the app in place and tested, then image it to a machine's bare metal for production use via WIM or another mechanism.) I'm sure these will leave the VMWare client files running, but not doing anything, similar to how a Hyper-V to VMWare migration leaves the Hyper-V files present.
In fact, if one turns on Hyper