Anti-Child Porn Spam Protection ransomware

[Ken]

Anyone heard of this? It is superbad!

A friend called me a bit ago as his business server is infected. Basically it puts all of your data into a locked rar file and demands that you send money to get the password. (which the pw probably doesn't work anyway, so you are screwed!)
I found some info on bleeping computer, however it is for the last version as apparently the malware author has made a newer version...

http://www.bleepingcomputer.com/forums/topic449398.html

http://www.google.com/search?hl=en&biw= ... CHwQ1QIoAw

My friends' business data is involved here so if any of you guys know how to crack a rar file or anything on this bad boy, please let me know! TIA

[morbidpete]

I know the backtrack distro has a utility in in called cRARk. never tried it. I have the distro on my thumb drive. I'll give it a go and see how good it is

[Ken]

Thanks, Pete! Apparently it is with AES encryption... It is all of his business data, so he is screwed. I don't have a lot of time to research and help him as I go back into the hospital next week for a couple of weeks and am backed up trying to get my stuff caught up before I go in... Any help is appreciated and may involve some cash appreciation...

[morbidpete]

I created a rar file with aes and password protection using a 9 char password "Pass123$$" created the definition file. I have it running on a core2duo 2.8. So we will see how long it takes. The cRARk program is also windows based (CMD only) and only uses 1 core, But is GPU aware and will work much faster with a compatible GPU(I do not have) It is running now, It's on the "4 character passwords" When it get to 9 we will see how it does

[morbidpete]

Just a side note, No local or remote backups?

[Faust]

Yeah, I have heard of that racket; threatening to notify authorities of your "child porn" stash or browsing history (which they fabricate) unless you pay them. The lockup of data I hadn't heard of, though.

If he's in a real pinch, and using a CPU to brute-force AES winds up taking too long it may benefit to either find someone with a newer nVidia video card or buy one. A GPU, in this case a nVidia card running CUDA, can do this much much faster which is why many people use them to make bitcoins (or decrypt md5s and whatnot).

[morbidpete]

Yeah, I have heard of that racket; threatening to notify authorities of your "child porn" stash or browsing history (which they fabricate) unless you pay them. The lockup of data I hadn't heard of, though.

If he's in a real pinch, and using a CPU to brute-force AES winds up taking too long it may benefit to either find someone with a newer nVidia video card or buy one. A GPU, in this case a nVidia card running CUDA, can do this much much faster which is why many people use them to make bitcoins (or decrypt md5s and whatnot).

Hey Faust,

I actually find a nvidia card that supports cuda. I downloaded the crude version and running that now. Much much faster then the 1 CPU core!

[Humboldt]

Any chance Malwarebytes might help?

http://www.2-viruses.com/remove-accdfis ... ransomware

ACCDFISA Protection Program special removal instructions

1. If you are stuck in screen asking for Control Code, try entering 753491980167921.

2. To recover your internet access, go to your network and sharing center, press on your network, properties, Internet Protocol version 4. You will need to enter correct information of your network adapter. A good guess is using automated settings (obtain an IP address automatically). Contact your ISP for details.

3. Run :

net stop netprofms
net stop WdiServiceSysHost
sc delete netprofms
sc delete WdiServiceSysHost
reg delete “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v svchost /f

Reboot afterwards.

4. C:\Windows\system\wcmtstcsys.sss or C:\Windows\SysWOW64\wcmtstcsys.sss will contain all the files that have been “encrypted” by ACCDFISA Protection Program. These encrypted programs are in fact RAR archives, encrypted with password 1a2vn57b348741t92451sst0a391ba72. So encrypted document.com has became document.doc.aes. Download winrar program and unencrypt them all.
5. Scan your PC with Microsoft’s malicious software removal tool, Malwarebytes Anti-Malware, Spyware Doctor and your regular antivirus. ACCDFISA Protection Program might be a result of keylogger attack. It is extremely important to change passwords after this infection.

http://www.helpinminutes.com/accdfisa-p ... ompletely/

[morbidpete]

Thanks for the link Humbolt,

" In fact, it archives all the documents into archives with a password and runs malicious processes that delete files upon decryption attempt."

that part is scary, The drive will have to be slaved to a safe pc off the network or use a PE disk to access it

[morbidpete]

Some more reading on this, I'm not sure how succesful this will be, it looks like they are double rared,

sample of first password: s#u_1kEWt=dGo4qLf*vkEDPdOvkvTSVHu_1rWnd2ah=TSd&(Tu
sample of second password: Fww*wrFwVFwwL$wqr*FwwL$wqr*

a thread on thios virus and i guess someone who clams to be the author even posted how it all works

http://www.bleepingcomputer.com/forums/topic449398.html post #7

[RaisinCain]

The files are still there (from my experience), just need to enable the Show Hidden Files option in the Folder Options setting. I have had, however, a few instances where a complete reload of the OS, etc. is needed. Slaving the HDD is another option I have utilized but not everything gets detected or removed and then there is the BSOD crap involved.

[morbidpete]

The files are still there (from my experience), just need to enable the Show Hidden Files option in the Folder Options setting. I have had, however, a few instances where a complete reload of the OS, etc. is needed. Slaving the HDD is another option I have utilized but not everything gets detected or removed and then there is the BSOD crap involved.

I dont know about the files still being there, I have been reading the complete thread on this and users are reporting files are gone and any folders that give any hint of a backup are also deleted. Most users who recovered had offsite backups and had to restore bare metal. A few users had MSP's and reported alerts of backup and AV software being manually removed. So there must be some type of remote connection being established to get this on the system. TV,VNC,RDP.

@Ken looks like your friend/client only option might be to start over, lock down all including ports to bare minimum needed, beef up any admin password and get some type of intrusion appliance (I use untangle) the passwords needed to unlock the rars are 50 characters including special characters, its has been a few hours and my GPU is only on the 5 characters part of the brute force.

This is why I stress over and over to my clients, Backups and offsite backups!

[YeOldeStonecat]

This stinks bro...just caught up on that bugger....doesn't look good.

[Mad_Haggis]

This stinks bro...just caught up on that bugger....doesn't look good.

Wow, hope i don't get it. I'll keep looking to see if winrar has a fix, nothing yet. Saw your post at technibble YOSC. Cool.

[Mad_Haggis]

I found this video, might help, different malware

http://www.youtube.com/watch?v=_IpMTvsSBIk

Cool vid.

[Ken]

Hey Guys,
I first want to thank everyone for giving it some thoughts. My friend has a sign business and apparently had his back ups split over 2 servers and 1 was hosed by this crap. Don't ask me why as I have no clue...

His wife just emailed me and said that he is going crazy this morning as he has no safe mode, no networking and very limited to what he can get from a half boot, for lack of a better way of explaining it...

I asked him to try and copy the data files to a disk so we can upload to his wifes' company's ftp (hers is a printing shop, totally different physical location, etc.) so I can get a copy and if some peeps are interested, give cracking them a try.

I went by her shop yesterday and disabled remote desktop on hers. He can worry about having remote access to hers after he gets through his crisis and changes RDP ports.

My time is very limited at the moment as I am heading to my heart doctor in a few to get clearance for surgery next week. If any of you guys want to give cracking them a try, let me know and I will load them on an ftp,...if he can get a copy...

Pete, that thread is quite interesting. He has tried everything that he has seen and nothing is working on the newest version...

Thanks again eveyone!

[Humboldt]

Best of alll possible wishes with that Ken, I hope everything goes as smoothly as possible during your stay in the hospital.

[minir]

Hi Ken

Quote
"My time is very limited at the moment as I am heading to my heart doctor in a few to get clearance for surgery next week."

Sorry to hear of your troubles Ken. Hope all goes well and you mend well & quickly.

Prayers in the air.

---

Good Luck

Larry

[morbidpete]

Hey Guys,
I first want to thank everyone for giving it some thoughts. My friend has a sign business and apparently had his back ups split over 2 servers and 1 was hosed by this crap. Don't ask me why as I have no clue...

His wife just emailed me and said that he is going crazy this morning as he has no safe mode, no networking and very limited to what he can get from a half boot, for lack of a better way of explaining it...

I asked him to try and copy the data files to a disk so we can upload to his wifes' company's ftp (hers is a printing shop, totally different physical location, etc.) so I can get a copy and if some peeps are interested, give cracking them a try.

I went by her shop yesterday and disabled remote desktop on hers. He can worry about having remote access to hers after he gets through his crisis and changes RDP ports.

My time is very limited at the moment as I am heading to my heart doctor in a few to get clearance for surgery next week. If any of you guys want to give cracking them a try, let me know and I will load them on an ftp,...if he can get a copy...

Pete, that thread is quite interesting. He has tried everything that he has seen and nothing is working on the newest version...

Thanks again eveyone!

Hey Ken,
Hope your check up goes well and you can have your procedure done asap. I am more then willing to take one of the files and have it crunch away, The PC I was using for the cracking is on 24/7 anyways, Rarely used so It cant hurt to have it do something useful

[Ken]

Update
There may be hope!
Apparently he has a back up on a Seagate NAS drive, which is based on Linux EXT 3. So, with it being Linux, I just got off of the phone with Philip who is calling Andy now and hopefully Philip will be able to get Windows to recognize his data... Thanks P!!!!!!!!!!!!!!!!

Thanks to all who tried to help and for the well wishes!
Ken

[morbidpete]

Awesome! If its a nas, You should be able to access the data via SMB or NFS, File system shouldn't matter on a nas

[RaisinCain]

Just dealt with a customer that was infected with this. I booted into Safe Mode and ran Process Explorer. Killed the running process and deleted the offending files using CCleaner. Rebooted again into Safe Mode and ran ComboFix. I then installed MSE and scanned- removed a bunch of crap. I then ran UnHide and everything is back to normal.

[Philip]

The backup is on some Seagate NAS with blown 12v power supply, and a 1TB drive... The drive itself is out of the NAS, it will be put on a linux box to transfer the files. Alternatively, he'll swap the power supply on the NAS.

[YeOldeStonecat]

Ken and Philip..(and others)...some more info on this malware...including how it attacks, and what it does.
http://blog.emsisoft.com/2012/04/11/the ... s-servers/

[RaisinCain]

I firmly believe that having Acrobat, Flash and Java up to date is critical in avoiding this type of infection (as well as the obvious).

[morbidpete]

Ken and Philip..(and others)...some more info on this malware...including how it attacks, and what it does.
http://blog.emsisoft.com/2012/04/11/the ... s-servers/

Thanks for the info Cat, After reading on BC that he uses RDP, I imediatly disabled it on my clients. I use TV anyways so no need to have it enabled.

[YeOldeStonecat]

I firmly believe that having Acrobat, Flash and Java up to date is critical in avoiding this type of infection (as well as the obvious).

Usually never installed on a server in the first place. This "problem" doesn't happen to a server because the end user is surfing the 'net...it's a direct attack against the server via port 3389 tcp.
The guy is hacking into systems using the DUBrute tool against remote desktop...selecting common user names (Admin, Administrator, Root, Sales, Support, Scanner, Test1, Test2...basically a list of 25 or so very common user names that will be in AD (active directory users)...and then grinding against them with dictionary and smart guess passwords. Eventually getting into systems where the "guessed" usernames are present, and the passwords are simple and able to be overcome by the DUBrute tool.

[YeOldeStonecat]

Just dealt with a customer that was infected with this. I booted into Safe Mode and ran Process Explorer. Killed the running process and deleted the offending files using CCleaner. Rebooted again into Safe Mode and ran ComboFix. I then installed MSE and scanned- removed a bunch of crap. I then ran UnHide and everything is back to normal.

Then it was not //this// particular ransomware that you were dealing with....please read (and importantly...understand) this particular exact topic. The files are not RASHED...they are all packaged in an encrypted file, and the originals are completely and utterly erased. Combofix and typical geek squad malware removal tools are BB'guns on an elephant hunt for this particular subject.

[RaisinCain]

Then it was not //this// particular ransomware that you were dealing with....please read (and importantly...understand) this particular exact topic. The files are not RASHED...they are all packaged in an encrypted file, and the originals are completely and utterly erased. Combofix and typical geek squad malware removal tools are BB'guns on an elephant hunt for this particular subject.

My bad. Yes I have ran into this one and have had no success in dealing with it on a personal basis (please don't compare me to GS).