Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rise in Anti-Child Porn Spam Protection Ransomware infections


  • Please log in to reply
10 replies to this topic

#1 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:57 AM

Posted 20 August 2014 - 06:45 PM

Over the last 2 months I have had different users contact me about an infection that turns their files into .EXE's. Unfortunately, none of these users ever had a dropper (Original Infecting application) or a ransom note to help me identify what the infection was. That all changed yesterday when yet another victim contacted me. After walking the user through the files I needed, it quickly became apparent that what was sent to me was a new version of ACCDFISA, or Anti-Child Porn Spam Protection, Ransomware. This variant is similar to the older ACCDFISA variant but with some adjustments to keep the detection rate low among other things. The description of what it does is still the same as what Grinler posted in the above post:
 

This ransomware pretends to be from a legitimate government organization that states that the infected computer is sending out SPAM that contains links to child pornography sites. The ransom program then states that in order protect yourself, and others, it has encrypted your data using Advanced Encryption Standards, or AES, encryption. Just like the Malware Protection and the ACCDFISA Protection Program variants, these files are not actually encrypted but are password protected RAR files.



sl.png

ScreenLocker window for ACCDFISA v2.0, There is actually a few different version of this as you will see with the

Image of the HTML file below.

Click to see Full Screen of Anti-Child Porn Spam Protection - 2.0



file.png

ACCDFISA v2.0 HTML file, These can be worded slightly different, and can have

different emails to message the virus creator.

Click to see Full Screen of ACCDFISA v2.0 HTML File



There seems to be either a leak of the ACCDFISA v2.0 source, or the creator is mixing up the layout of Ransom Note, Screen Locker, and even the internal code. So far I have found 3 different version of ACCDFISA v2.0 with different contact emails, Ransom Notes, Code, and what is worse is even the method of delivery. The previous ACCDFISA v2.0 mostly only affected servers with RDP enabled with weak security. But the last 2 victims I have been messaging had neither a server or RDP enabled, and claimed to have gotten it either by email or a malicious or hacked site. This makes this older modified infection another top placer for worst encrypting infections because the key is unrecoverable, Restore Points are wiped, the computer is locked down, services are mangled, free space and deleted files are wiped with SDelete, and of course files are encrypted with WinRar SFX AES exe's.

For informational purposes, the 2 virus creator emails I have found with these variants are brhelpinfo@gmail.com and Dextreme88@gmail.com.

When first run, this program will scan your computer for data files and convert them to password protected RAR .exe files. These password protected data files will be named in a format similar to test.txt(!! to decrypt email id <id> to <Email>@gmail.com !!).exe. It will then use Sysinternal's SDelete to delete the original files in such a way that they cannot be undeleted using file recovery tools. It will also set a Windows Registry Run entry to start c:\<Random Number>\svchost.exe when your computer starts. This program is launched immediately when you logon and blocks access to your Windows environment. If you boot your computer using SafeMode, Windows Recovery disk, or another offline recovery CD, you can delete or rename the c:\<Random Number>\svchost.exe file in order to regain access to your Windows Desktop. This "lockout" screen will also prompt you to send the hackers the ransom in order to get a passcode for the system lockout screen and for your password protected files.

This variant took 3 hours to completely finish on my VM. I was able to access the key file, and decrypt nearly all files and back them up before shutdown. So if you are lucky enough to see this happening, you should immediately backup the key file on the desktop / in the ProgramData folder.

Sadly, just like the past variants, files cannot be decrypted either without the key, or a backup. If you are reading this infection free I have one question, Have you backed up today?. If not, you better get to it as these types of computer infections are on the rise and definitely here to stay!

The files that this infection creates when it is installed are:

File List:
 

c:\<Random>\svchost.exe - ScreenLocker / Decrypter

c:\<Random>\howtodecryptaesfiles.htm - RansomNote that all RansomNotes lnk's point to

c:\ProgramData\fdst<Random>\lsassw86s.exe - Encrypter / Main dropper

c:\ProgramData\<Random>\<Random>.dll - Different Numbers and Hashes used by the infection / Also where Temp Key is kept, But removed after completion

c:\ProgramData\<Random>\<Random>.DLLS - List of files to be infected by WinRar

c:\ProgramData\<Random>\svchost.exe - WinRar CUI renamed

c:\ProgramData\<Random>\svchost.exe - Sdelete Renamed

c:\ProgramData\svcfnmainstvestvs\stppthmainfv.dll - List of Numbers used by the infection

c:\ProgramData\svtstcrs\stppthmainfv.dll - List of Numbers used by the infection

c:\Windows\System32\backgrounds2.bmp - Renamed ScreenLocker / Decrypter, Used to replace the one in ProgramData if deleted

c:\Windows\System32\lsassw86s.exe - Renamed Encrypter / Main dropper, Used to replace the one in ProgramData if deleted

c:\Windows\System32\scsvserv.exe - Used to complete mangle / disable services to further lock down computer

c:\Windows\System32\lsassvrtdbks.exe - Assists with encryption

c:\Windows\System32\session455.txt - Temp Storage used with .BAT file to logoff user account

c:\Windows\System32\decryptaesfiles.html - Used to copy to ProgramData

c:\Windows\System32\Sdelete.dll - Used to copy Sdelete to ProgramData

c:\Windows\System32\kblockdll.dll - Used to Lock desktop

c:\Windows\System32\btlogoffusrsmtv.bat - Used to log user off

c:\Windows\System32\default2.sfx - Used with winrar to encrypt files

c:\Windows\System32\cfwin32.dll - WinRar CUI renamed

%Desktop%\<Random>.Txt - Also contains Decrypt Key, But removed after completion



Registry List:



HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\<Random>\svchost.exe - Launches ScreenLocker

HKCU\Software\Microsoft\Windows\CurrentVersion\Run C:\<Random>\svchost.exe - Launches ScreenLocker

HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\ProgramData\<Random>\svchost.exe - Launches ScreenLocker


Have you performed a routine backup today?

BC AdBot (Login to Remove)

 


#2 sempre

sempre

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 21 August 2014 - 09:45 AM

Very good post!!  We received several cases of this variant!



#3 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:57 AM

Posted 25 August 2014 - 08:18 PM

Thanks for the article & links! :thumbup2:

 

It's my hope that more computer users & Administrators will take backup more serious, the only cost involved is an extra hard drive, or which many has, maybe on a broken computer or has one laying around. In that case, all that's needed is an enclosure or docking station (the latter usually accepts both 2.5" & 3.5" drives). Backup software is free, some drive manufacturers provides this, however I & many more have found the Free version of Macrium Reflect to be quite adequate & flexible. Can even clone a larger HDD to smaller SSD. 

 

Make certain to create Recovery Media when prompted, the WinPE is more flexible, allowing backups to be done outside of the Windows environment. This is a plus to prevent backup corruption, as no security software, maintenance or other activity will be taking place. Some files will need to be downloaded for WinPE media, if the Windows Automated Install Kit (WAIK) isn't already installed. 

 

And be sure to disconnect the backup drive while not in use. Otherwise, if your computer gets this infection, you'll be locked out of your backups too. Turning a switch off isn't enough, remove the cable. Smart crooks may find a way to remotely turn it on, especially if it's "shared" media. Take no chances with this, it's your lifeline to quickly restoring your files when needed. 

 

This isn't the 1990's, backup images today serves a dual purpose. Recovery from hardware failures & traditional style infections, and now the major ones that seizes the computer. It's far better to be prepared (& keep your hard earned money), than to be faced with financial loss & uncertainty. There has been reported instances where the victim paid the ransom & not all files were possible to decrypt. 

 

Don't get caught off guard. With a plan of action, most can be up & running again within minutes, or for those with larger drives & lots of data, within 2-3 hours. It best to perform weekly backups (more for a place of business) & keep a couple of these backups on hand. If space permits, always try to keep the first, and the last two. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#4 Allen

Allen

  • Members
  • 337 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:05:57 AM

Posted 25 August 2014 - 09:08 PM

Interesting, I wonder how long it will be before you're locked out of your own home unless you pay ransom.


Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

#5 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:57 AM

Posted 25 August 2014 - 11:40 PM

Allen, hopefully things won't get that bad. 

 

It's just that the Internet is now a necessity for most of us in modern nations & the bad guys are taking advantage of that fact. Criminals have always been in society to some degree, and they're getting more creative in their deeds. Too, many operates in areas where there is no laws against that they're doing, or pays them to look the other way. 

 

We hear about Internet threats all the time, but seldom of arrests & less of convictions. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#6 Felipe2237

Felipe2237

  • Members
  • 353 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California,USA
  • Local time:02:57 AM

Posted 26 August 2014 - 08:29 PM

Can the .rar passwords not be cracked? I'm unfamiliar with how WinRAR handles its passwords, but I'm assuming it can be done.


Unofficial iOS Genius


#7 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:57 AM

Posted 26 August 2014 - 08:53 PM

Probably can, by someone whom knows what they're doing. Of course, the strength of the password has a lot to do with this. 

 

Though the .rar file itself can be encrypted, along with the rest of the items on the computer. The thieves don't need what's in it, the owner does. 

 

All they want is your money to get your files back. 

 

Frequent backup & smart computing practices avoids the need to pay up. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#8 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:57 AM

Posted 26 August 2014 - 09:02 PM

this infection uses winrar, which in return uses AES 256 encryption, which is as secure as RSA present day speaking.

 

the only way possible to crack rar passwords is brute force because most people use small and weak seeds for the aes encryption. Every winrar cracking program out their uses brute force or dictionary attacks.

 

but this virus creator learned his lesson on v2 in which he uses a 114 char password that is securly deleted after it is finished.

 

This infection is encryption secure, and cannot be cracked.


Have you performed a routine backup today?

#9 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:57 AM

Posted 26 August 2014 - 09:47 PM

These new-generation infections are obviously very potent at the point of attack & I have a feeling that more of this type will be launched as time passes. 

 

I mean, why bother with robbing banks & the risks thereof? This is a higher payoff & chances of getting caught are much less. And if caught, the penalty will be less severe than a violent crime. 

 

Another thing I've noticed in the last couple of months, is the rise in emails, many that lands in the inbox (not Junk or Spam) that has attachments. This is likely how many are getting infected with these ruthless infections, it's also been reported that some simply requires opening of the email & the attachment isn't always needed (drive-by attacks). This isn't exactly news either, has been going on since at least 2012, here's one article about it. 

 

http://www.theblaze.com/stories/2012/02/02/malicious-email-downloads-drive-by-virus-just-by-clicking-open/

 

So it's best to simply mark as junk any email from non-contacts, and look closely before opening any emails, most all with attachments will have a symbol notifying the user that something's inside. 

 

Of course, it's also best to keep Windows & all software up to date. Secunia PSI can help with this, many apps can be set to auto update via this weekly scanner. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#10 sempre

sempre

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 17 March 2015 - 03:16 PM

Hello!

Sorry,

today has the solution for this case? (ACCDFISA v2.0)


Edited by sempre, 17 March 2015 - 03:18 PM.


#11 Espanholeto

Espanholeto

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 01 September 2015 - 09:07 AM

I had backup files, but I want to see these  SOB's roting in jail. If someone knows what to do to get these gadders arrested, please let me know.

 

Ps.: I'm from Brazil


Edited by Espanholeto, 01 September 2015 - 09:10 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users