
A glimpse inside CryptoWall 3.0 - codesuela
http://blog.brillantit.com/?p=15
======
netheril96
> Deactivating: Shadow Copies Startup repair Windows error recovery

> And stopping: Windows Security Center Service Windows Defender Windows
> Update Service Windows Error Reporting Service and BITS

Won't these actions require administrator privileges? How do the program
escalate its privilege if it starts by user clicking on a js file?

~~~
ploxiln
UAC gave Windows Vista a bad reputation for annoying prompts all the time, so
in the interest of user experience and convenience, starting with Windows 7
Microsoft intentionally made it much less bulletproof: any Microsoft signed
executable can bypass UAC. This includes common system executables which can
be caused to load arbitrary dlls, this includes the control panel to turn off
UAC entirely. It hasn't and won't be "fixed", it's just how it all works.

[http://www.pretentiousname.com/misc/win7_uac_whitelist2.html](http://www.pretentiousname.com/misc/win7_uac_whitelist2.html)

~~~
noinsight
> any Microsoft signed executable can bypass UAC.

If UAC is set to Medium (the default).

If you're serious about security you should set it to High.

~~~
Karunamon
Unfortunately this results in constant annoying prompts.

I don't know what OSX does, but it seems like I'm prompted to escalate far
less often than I would be on a high UAC system. How do the requirements
compare?

~~~
eugenekolo2
Your usage of OSX must be different than mine, because I get prompted far more
than I'd like.

------
politician
I wonder whether various browser vendors are investigating ways to disable
loading Wordpress sites given their propensity to being taken over by
exploits. The browser vendors collectively disabled/stunted Flash, maybe it's
time for Wordpress to go down?

~~~
Karunamon
Is Wordpress really that insecure, or is it the fact that it's the single most
popular blogging platform out there, requires very minimal technical
competence to set up, and therefore its users are doing dumb things with the
configuration?

~~~
eugenekolo2
I'd call it a combination of it being extremely popular (attackers want it),
minimal technical competence, PHP, and a history of really bad bugs.

~~~
spoiler
WordPress in itself isn't that unsafe; they are pretty diligent in fixing bugs
and security issues. _However_ that is not true about plugins, themes, various
theme/plugin frameworks developed for WordPress[1], or custom-tailored
things[2]. Also, we must factor in the end-users lack of technical
competence[3].

Source: I work for a hosting company with lots of WordPress sites.

[1]: In my experience, there's lot of purposely back-doored, or easily
exploitable themes and plugins. Also, let's not forget that users and/or
developers often get these illegally (without even knowing they did it; it
happened a few times).

[2]: The entry barrier for PHP/WordPress is _extremely low_ and many of these
developers are beginners and lack even basic understanding of security or
_even_ how things work; they base stuff off from an overly-simplified tutorial
written by someone only slightly more experienced than they are. There are
also inherent language and CMS issues here, but I won't go into those.

[3]: We actually have users who don't to update WordPress or any of the
plugins for ages. _AGES_! The other day, I had to argue with a client why
having a WordPress version from 2006 (something from the 2.0.x release series)
is a bad idea. This is either because the developer stopped supporting and
abandoned development of some component their site depends on, or because of
legacy custom-tailored code that was a once-off purchase.

~~~
teh_klev
As a fellow shared hosting engineer I pretty much agree with [1] and [2], and
for [3] I also feel your pain, but we don't mess about any more arguing the
toss.

We now scan for egregiously out of date WordPress installs and warn customers
that their site will be at risk of being disabled if they don't upgrade to the
latest version. If after a couple of days we see no action then we pull the
site.

If we detect sites serving dodgy links then they're instantly shut down until
the customer can prove they've secured the site.

In 99.9% of cases our customers are happy we do this because they're mostly
businesses and serving malware damages their brand and reputation. We do get
the occasional user who refuses to co-operate, and if they do we serve them
notice to take their business elsewhere.

~~~
spoiler
> If we detect sites serving dodgy links then they're instantly shut down
> until the customer can prove they've secured the site.

We have a similar approach to this actually. The exception being that we clean
the malware ourselves, sadly. I tried to say is a bad idea multiple times, but
no luck. What makes things worse, we have a few "spoiled" clients that keep
getting their websites hacked (there's 3 such WordPress and Joomla development
resellers) and they started expecting us to clean their websites. _Sigh_

Also, I tried to argue a few times that we do the scan-and-warn thing, but I
got turned down with the counter argument that it would generate more
backscatter on our support department than it would be worth it.

