CryptoWall samples not detected by any of the 55 antivirus products on the VirusTotal

Discussion in 'malware problems & news' started by hawki, Sep 29, 2014.

  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,956
    Location:
    DC Metro Area
    "Malvertising campaign delivers digitally signed CryptoWall ransomware

    The cybercriminals behind the CryptoWall ransomware threat have stepped up their game and are digitally signing new samples before using them in attacks in an attempt to bypass antivirus detection.

    Researchers from network security firm Barracuda Networks found new CryptoWall samples that were digitally signed with a legitimate certificate obtained from DigiCert. The samples were distributed through drive-by download attacks launched from popular websites via malicious advertisements.

    Zedo together with Google’s DoubleClick ad network were also used by attackers this month to post malicious advertisements on the Times of Israel, the Jerusalem Post and Last.fm websites among others. That attack campaign distributed a malware program called Zemot..............

    A recent analysis of the CryptoWall operation by Dell SecureWorks revealed that the malware has infected more than 600,000 computer systems since March and earned its creators over US$1 million.

    The digital signing of CryptoWall samples is likely an attempt to evade antivirus detection. The success of this approach is debatable since this practice is no longer uncommon among malware developers and many security products account for it. However, there might be cases where signing malware with certificates stolen from trusted developers might bypass some application whitelisting rules.

    The new CryptoWall samples were not detected by any of the 55 antivirus products used on the VirusTotal website when they were discovered Sunday, the Barracuda researchers said. The detection rate has slightly increased since then, they said."

    Full Story: http://www.networkworld.com/article...d-cryptowall-ransomware.html#tk.rss_security0
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    This is exactly the reason why HIPS should never automatically trust signed files. It's better to only trust files from "Trusted Vendors", but perhaps even those certificates can be faked, who knows. :)
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Couldn't agree more.

    Which also begs to question why the now abandoned worthy HIPS like the ole EQSysSecure, Malware Defender etc. were discounted and throwed to the heap pile of obsolete when they contained IMO very vital vector points (many user-defined) which were really pretty good in intercepting then suspending such zero-days in transit. Problem as I see it is that a Classical HIPS of those levels of security success are more adaptable to only the learned and can't be made (not yet) into some auto-filter without the need for user direct intervention. I guess it's debateable.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ EASTER

    You still feel a bit frustrated do you? :D

    We're going off topic now, but there are still a couple of "old skool" HIPS available, like Comodo and SpyShelter, but yes we used to have a lot more choices.
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    @EASTER: The problem with Malware Defender is that it tracks more system calls in more contexts than most people can keep track of. Even waffling between learning and silent modes, you will at some point probably find a situation where you just can't get some app to work properly, or open a security hole without knowing it, etc. etc.

    I would say that Geswall was a saner idea, but the implementation was pretty unfriendly in practice.

    Anyway to be honest though I've kind of had it with mandatory access control, at least as far as desktops are concerned. There are kernel vulnerabilities galore (that MAC won't stop), man-in-the-browser attacks and such (that MAC doesn't affect), the details of setup are invariably problematic, there are no clear-cut rules, etc.

    I wish I had useful advice for people on Windows, but I really don't, beyond "Use some kind of web content filtering, keep applying those updates, and be exceedingly skeptical."

    (Antivirus also fits in, but it's basically intrusion detection, not intrusion prevention.)
     
  6. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Unfortunately most HIPS are not x64 compatible.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I was able to grab a sample of it. For some play, later, with it.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Do not take this the wrong way but you're speaking to deaf ears. EASTER and I are huge HIPS fans, and if you know how to use them, it's simply the best protection out there. On topic: The fact that most AV's could not detect these new samples is proof that heuristics is still not that good. HIPS is really the only way to go for protection. :)

    Cool I'm looking forward to it.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Sorry if I disappoint you but it will not be soon and I might not post any results here.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ aigle

    That is a total buzz-kill. :D
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes but I am totally out of this hobby now a days. Have got so many more imp things to do in life. ☺
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    OK cool, I also took a break from Wilders between 2010 and 2013, but because of Win 8 it became a hobby again. :)

    @ Aigle, I will PM you.
     
Loading...