Last Updated: 2015-01-19 16:39:16 UTC
by Johannes Ullrich (Version: 1)
This is a guest diary submitted by Brad Duncan.
Various sources have reported version 3 of CryptoWall has appeared   . This malware is currently seen from exploit kits and phishing emails. CryptoWall is one of many ransomware trojans that encrypt the personal files on your computer and demand a bitcoin payment before you can unlock them.
I got a sample on Wednesday, January 14th 2015 while infecting a virtual machine (VM) from a malicious server hosting the Magnitude exploit kit.
If you're registered with Malwr.com, you can get a copy of this CryptoWall 3.0 sample at:
Let's look at the traffic from my infected VM:
In this example, the infected VM checked ip-addr.es to determine its public IP address. Then the VM communicated with a server at 220.127.116.11 over a non-standard HTTP port. In this case it was port 2525, but I saw different ports in other hosts I've infected with this sample.
Finally, the user viewed a web page for the decrypt instructions at 18.104.22.168.
When monitoring the infection traffic with Security Onion , we see an EmergingThreats alert for CryptoWall check-in .
The decryption instructions specify the following bitcoin account for a ransom payment: 1GJRTp9YRKFEvzZCTSaRAzrHskFjEwsZy
Here's what the user would see on their desktop screen:
Brad Duncan is a Security Researcher at Rackspace, and he runs a blog on malware traffic analysis at http://www.malware-traffic-analysis.net