As Ars Technica reports, one of the latest forms of malware is so sophisticated that it won’t even attack if it detects certain types of defenses.
A couple days ago Ars reported on CryptoWall 2.0, a type of ransomware which apparently won’t even attempt to compromise your computer if it detects certain apps:
The installation components of CryptoWall 2.0 are cloaked by multiple levels of encryption, with three distinct stages of installation each using a different encryption method to disguise the components installed. And like many modern pieces of malware, CryptoWall 2.0 has a virtual machine check in its code that disables the attack when the malware is installed within a virtual instance—in part to prevent security researchers from isolating and analyzing its behavior.
The VM checker code, in the first stage of CryptoWall’s dropper sequence, checks the system for running processes, searching for VMware and VirtualBox services or the Sandboxie application partitioning library. If the coast is clear, the code does some best practices-based memory handling to release memory used in the initial drop mode, then launches another dropper disguised as a Windows Explorer process.
If CryptoWall does gain control of your computer, it will hold your files hostage until a ransom is paid, usually in Bitcoins (hence the name ransomware).
This story came to my attention via Rich Adin’s An American Editor blog. He’d been paying closer attention to this issue than I because in late 2013 he had been hit twice by ransomware after clicking links sent to him by idiot clients.
As a professional book editor, Rich sometimes doesn’t have the luxury of simply ignoring links which aren’t completely safe, not if he wants to do his job to the best of his abilities. And so he’s had to take additional steps to protect himself, including installing utilities like Sandboxie.
So far I have been either lucky enough or paranoid enough (or both) to have avoided encountering any ransomware or permanently damaging malware, but I think I might follow Rich’s lead and add another layer of security.
As the NYTimes reported recently, attacks by this ransomware are growing increasingly common, so if nothing else the cost of prevention is generally cheaper than the expense of cure.