CryptoLocker virus for Windows

[PB]

In another post in these forums, Microsoft was quoted as saying:

> Without elevation, malware can't make system-wide changes or affect other users.

That deadly new CryptoLocker virus certainly doesn't need any elevation to hold
all your personal documents, music, photos and videos to ransom. Stupid Microsoft.

So, if you're a Windows user and haven't read about CryptoLocker yet, you better:

http://en.wikipedia.org/wiki/CryptoLocker

Basically, if you get infected by it, you can kiss all your data goodbye.
It's the equivalent of taking your PC and just throwing it in the trash.

[Danilo]

In another post in these forums, Microsoft was quoted as saying:

> Without elevation, malware can't make system-wide changes or affect other users.

That deadly new CryptoLocker virus certainly doesn't need any elevation to hold
all your personal documents, music, photos and videos to ransom. Stupid Microsoft.

CryptoLocker seems to have limited access rights, so the quote is right, isn't it?
Without elevation you shouldn't be able to access system stuff or other user's accounts,
but your personal files are always accessible with every program, also for PB programs,
so that's not a special thing with CryptoLocker, AFAIK.
You can also access user files with non-elevated programs on MacOSX and GNU/Linux,
so that's not much different...!?

We already have App sandboxing, code signing, and App distribution through AppStores,
and Apps get verified by Microsoft and Apple before they get into the App stores.
Seems to work pretty well so far, so it looks like this is the future and untrusted programs
will be completely blocked from running in future operating systems.

[skywalk]

Just like voting...backup early and often

[PB]

> CryptoLocker seems to have limited access rights, so the quote is right, isn't it?

That's my point. Microsoft says to run as a limited user to prevent malware,
but CryptoLocker can waltz into a limited account and do major damage
anyway. So, running your PC under a limited account is totally pointless,
and just inconveniences the user because of UAC prompts all the time.

[skywalk]

Yes, all must be assumed evil. Only trusted apps are allowed to run via White Listing or digital signatures.
Of course, any bad guys that figure a way to create trusted signatures will be hired by the NSA.
This saves the NSA from demanding a port on each company's signature server

[tj1010]

Using 8 and 16 bit malware methods with modern computer power and cryptography.

All it'd take is rooting one C&C and dumping a DB, they all sync and they don't use flux DNS, just DN generation. RSA public key can be dumped with runtime debugger, AES ones too when you have the code, the author at least used a proper encryption system, but I doubt they harden their C&C servers. There might be a way to still get the AES key(s) without the code.

Why don't people just use built in ACLs and sandboxing solutions?