Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New ransomware called Anti-Child Porn Spam Protection or ACCDFISA


  • Please log in to reply
328 replies to this topic

#16 ITGeekGirl

ITGeekGirl

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:05:54 PM

Posted 11 April 2012 - 03:22 PM

Don't pay the ransom. They don't care about your information, honestly. There is absolutely no guarantee they'll give you your information back. Wasn't there a program like this before that when you payed the ransom, they gave you a pass code that just DELETED everything anyway?

BC AdBot (Login to Remove)

 


m

#17 accdfisa

accdfisa

  • Banned
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:54 PM

Posted 11 April 2012 - 03:41 PM

Don't pay the ransom. They don't care about your information, honestly. There is absolutely no guarantee they'll give you your information back. Wasn't there a program like this before that when you payed the ransom, they gave you a pass code that just DELETED everything anyway?


Bullbleep - we had never get passcode wich deleting information, we get passcodes and everything has been
back to normal - all files were successefully decrypted. Deleting - it maybe if someone use another
passcodes (not from us) or hacking our software.

And we have a proof that we have password to files (You can send one file to us and we will decrypt
it).

You may dont pay, but you loose your files forever.

Good luck!

#18 Akthalian

Akthalian

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jacksonville, FL
  • Local time:06:54 PM

Posted 12 April 2012 - 09:42 AM


Don't pay the ransom. They don't care about your information, honestly. There is absolutely no guarantee they'll give you your information back. Wasn't there a program like this before that when you payed the ransom, they gave you a pass code that just DELETED everything anyway?


Bullbleep - we had never get passcode wich deleting information, we get passcodes and everything has been
back to normal - all files were successefully decrypted. Deleting - it maybe if someone use another
passcodes (not from us) or hacking our software.

And we have a proof that we have password to files (You can send one file to us and we will decrypt
it).

You may dont pay, but you loose your files forever.

Good luck!



First thing:

Is this poster claiming to be the creator of the software?


Second thing:


IF you are the person who wrote this, the only people that will be in trouble over this will be people who are negligent and don't backup their data. For people like myself, with a strong AV solution and a backup strategy, your clever little piece of software is effectively useless in hindering me in anyway. But thanks for playing.


As long as a user has backups, this infection is merely a minor irritant.
A+ Certified Support Technician

#19 ITGeekGirl

ITGeekGirl

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:05:54 PM

Posted 12 April 2012 - 11:38 AM

Hi all, and specially hello to Fabian :)

Im the author.

Guys, I have considered my previous mistakes and wrote new unbleepable version.



Yep, I believe this guy is claiming ownership to the piece of work.

I'm not sure how you can proudly sit there and be okay with yourself. You, sir, are a tool.

#20 accdfisa

accdfisa

  • Banned
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:54 PM

Posted 12 April 2012 - 12:17 PM

From what we know, those infected are directly hacked by the malware author.



You talking about that server hacked by me. Ok. And Do you think that server hacked by me only?
If i can hacked - another person can hacked server also and run spam software. Right?
The servers wich has been infected by accdfisa software were hacked before accdfisa and spamming ads of
child porn sites.

to ITGeekGirl:
If you dont believe that im author, just send email me at security11220@gmail.com (This email is from
accdfisa software).

And im okay, why i cant sit here?

Noone person in the World can get first password and decrypt Files that encrypted by my software.

Plus I'm fighting the spread of child pornography.

I've got to be proud :)

Edited by accdfisa, 12 April 2012 - 12:25 PM.


#21 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:54 PM

Posted 12 April 2012 - 12:27 PM


From what we know, those infected are directly hacked by the malware author.



You talking about that server hacked by me. Ok. And Do you think that server hacked by me only?
If i can hacked - another person can hacked server also and run spam software. Right?
The servers wich has been infected by accdfisa software were hacked before accdfisa and spamming ads of
child porn sites.


Personally, I could care less if the servers were previously hacked. You hacked them again to install your software on it. Simple as that.

As for the child porn spams. personally I think your not telling the truth regarding that and only saying it to scare the victim to pay the ransom.

I could be wrong, but that's a completely different matter anyway. The simple truth is that your ransoming people's data so that you can get paid. End of story.

#22 Sillycat98

Sillycat98

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:54 PM

Posted 12 April 2012 - 01:03 PM


From what we know, those infected are directly hacked by the malware author.



You talking about that server hacked by me. Ok. And Do you think that server hacked by me only?
If i can hacked - another person can hacked server also and run spam software. Right?
The servers wich has been infected by accdfisa software were hacked before accdfisa and spamming ads of
child porn sites.

to ITGeekGirl:
If you dont believe that im author, just send email me at security11220@gmail.com (This email is from
accdfisa software).

And im okay, why i cant sit here?

Noone person in the World can get first password and decrypt Files that encrypted by my software.

Plus I'm fighting the spread of child pornography.

I've got to be proud :)



Oh yes, sounds like you have a lot to be proud of.

You took a bunch of open source software and combined them (WinRAR and SDelete) then started trying to frame people for distributing child porn, which you are obviously a fan of since you have the sites to spam/download from in your program.

Also, you should be very proud of your English skills. There are not that many people around who can speak it as well as you can person. You are just so awesome. So awesome in fact that I have a link for you to look at.

http://dictionary.reference.com/browse/sarcasm

Now then, how about you go and take a long walk on a short pier and make sure you take big breaths when you get under the water.

Cheers,
A person highly amused at accdfisa's attempt to troll.

#23 warsawtech

warsawtech

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:54 PM

Posted 12 April 2012 - 04:06 PM

Suffered an attempted attack by this hack. Got notified by my monitoring program that Trendmicro Worry Free had been uninstalled on the server and Symantec Backup Exec had been uninstalled. Pretty much states the fact that someone had gotten in to it.Got up and remotely logged into server to see what was up. As the fates would have it I quickly got Malwarebytes installed and run removing the issues.
Then I guess I'm lucky in that the broadband provider DSL went down isolating it from the Net.

I drove to the site and cleared all "****(!! to decrypt email id 1400057358 to security11220@gmail.com !!).exe" files off around 172 of them. Found a folder also holding the program the Ultimate Decrypter which I removed.

Next I removed access to RDP in router and blocked all incoming ports.

Once I had the server back online and working I walked through various directories and found that any folder that had the name "backup" was emptied. I have offsite backups and went ahead and did a entire baremetal system restore that night just to make me sleep better.

As many have suggested, 1) Don't have RDP enabled 2) Monitor your servers for any software changes 3) Invest in Monitoring software or get a MSP to do it for you 4) Improve the security of your administrator password to at least 18 characters. 5) Monitor your security logs for failed login attempts.

#24 caperjac

caperjac

  • Members
  • 1,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NS. CAN
  • Local time:07:54 PM

Posted 12 April 2012 - 04:14 PM

don't know why this forum and its postersa re giving this poster accdfisa the time of day ,most forum i am a membet tof would have blocked or deleted them by now

My answers are my opinion only,usually


#25 Sillycat98

Sillycat98

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:54 PM

Posted 12 April 2012 - 04:38 PM

don't know why this forum and its postersa re giving this poster accdfisa the time of day ,most forum i am a membet tof would have blocked or deleted them by now


Mostly because he is so stupid that he is quite funny, at least for me.

Him claiming to be the author, his spelling and grammar, his general smugness that suggests that he will not get in trouble over this if he really is the author.

I am rather just waiting for news of his door being broken in and him dragged off by the feds of whatever country is in. His program is extortion which is going to be illegal pretty much where ever he is.

Edited by Sillycat98, 12 April 2012 - 04:39 PM.


#26 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:10:54 AM

Posted 12 April 2012 - 06:24 PM

I have variants to play with, to see is I can reverse everything.

Quads

#27 ITGeekGirl

ITGeekGirl

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan
  • Local time:05:54 PM

Posted 13 April 2012 - 09:41 AM

I have variants to play with, to see is I can reverse everything.

Quads


?

#28 mike gee

mike gee

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 14 April 2012 - 02:02 AM

bla,bla,bla and no help at all, what is the sense of this????

#29 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:54 PM

Posted 14 April 2012 - 08:01 AM

These topics were originally created for people who were affected to come and receive help. As it just has become a sounding board for the malware developer, I have closed this topic.

#30 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:54 PM

Posted 17 April 2012 - 07:30 PM

This ransomware has been updated today. It still uses the name Anti-Child Porn Spam Protection, but uses some different file names and service names.

The new Windows service that is created is the NIaSvc, with a display name Network Locatlon Awareness and a imagepath of C:\WINDOWS\system32\svschost.exe.

The files that are installed with this variant are:

c:\dc.exe
c:\svchost.exe
c:\Documents and Settings\All Users\Desktop\.bat
c:\Documents and Settings\All Users\Desktop\.txt
c:\ProgramData\.bat
c:\ProgramData\.dll
c:\ProgramData\.dll.dlls
c:\ProgramData\.dlls
c:\ProgramData\svchost.exe
c:\WINDOWS\system32\cfwin32.dll
c:\WINDOWS\system32\csrss32.dll
c:\WINDOWS\system32\csrss64.dll
c:\WINDOWS\system32\default2.sfx
c:\WINDOWS\system32\NoSafeMode.dll
c:\WINDOWS\system32\nsf.exe
c:\WINDOWS\system32\sdelete.dll
c:\WINDOWS\system32\svschost.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users