Although CryptoWall 2.0 is a malware that does the same thing as the well-known CryptoLocker, according to an analysis done by the specialists in Computer Security of Cisco, it is possible to be affirmed that we are not in presence of an improved copy but of a much more sophisticated development .
When analyzing the action of CryptoWall 2.0, the words chosen by the developer in his message are striking: The files have not been “hijacked”, but “protected”. He adds that his structure has “irrevocably changed,” and that the victim “should not waste time” seeking alternative solutions because “they do not exist.” It informs the owner of the attacked team that the only way to solve the situation is to make a payment as soon as possible, using one of the addresses of the Tor network that CryptoWall itself provides.
Andrea Allievi and Earl Carter of the so-called Talos Security Group at Cisco unveiled several technical aspects of this new malware. First, it was developed in 32 bits to achieve greater reach. However, it has the ability to detect if the Windows system it is attacking is 64-bit, from which it switches to an x64 mode. The initial module arrives at the computer attacked under a conventional phishing maneuver, taking advantage of different vulnerabilities in Windows that allow the elevation of privileges. Versions have also been detected infecting systems through malicious PDF files. All the components that are part of the CryptoWall 2.0 installation are encrypted and have a function to detect the presence of a virtual machine. Its creators took into account that malware analysts use virtualized systems when studying the behavior of malicious code, therefore, CryptoWall verifies that there are no memory processes linked to VirtualBox, VMWare, and even Sandboxie.
After disabling all security measures built into Windows and creating a fake svchost.exe process, CryptoWall unloads a Tor client to obfuscate its communications with the command and control network. The version investigated by Cisco experts points to domains registered in Russia, and each of those domains is resolved in an IP address of that country.