cancel
Showing results for 
Search instead for 
Did you mean: 

Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

Hi, I´m Diego.


I also have a client infected with this virus. Tuesday afternoon , I sent to the laboratory of ESET necessary files and am waiting for reply. They may take 3-4 days for a response.

When you have the solution, I share.


Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

Thanks Diego, we will be waiting eagerly. Good luck

Edit:

Dr. Web says:

"We cannot decrypt enciphered files due to modification of the algorithm in the trojan"

F****** great

El mensaje fue editado por: soporte-arsenet on 27/06/13 7:38:42 CDT
Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 13 of 20

Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

soporte-arsenet wrote:

Dr. Web says:

"We cannot decrypt enciphered files due to modification of the algorithm in the trojan"

I thought this might happen. The person who wrote this malware - or rather, the person who is now running the extortion operation - has been monitoring the main discussions on forums like BleepingComputer and nFocus Technologies. He was actually posting on one of the BleepingComputer threads, taunting the users seeking help, until they banned him. He's still reading the posts, though, and as soon as a possible way to unlock the files is discussed and attempted he modifies the code to remove any weaknesses.

In this case either Dr Web are saying that version 2 of this program is, as the author claims, unbreakable, or the author has made a further change to the encryption algorithm - probably for the second password although, as he says, knowing the second password is not by itself enough.

I don't know if the underlying process is exactly the same as in version 1 - the implication is that the changes have been to the method used to generate the passwords - but this is the summary provided by Wang Xiu Ying in Post #70 of the main BleepingComputer thread - just over one year ago.  It is instructive to read the whole thread, if you have time.

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protectio...

Password generation changed again as well. Similar to variant 3 two different passwords are used to encrypt the files on the system. To generate the first password the crypto malware will generate a 50 character long random string. The string is then saved to fvd31234.txt as well as udsjaqsksw.dlls. The random string is than prefixed with a static string to create the first password. As usual the fvd31234.txt file is copied by the attacker to his system and then securely deleted using the fvd31234.bat script. On the next boot the service will securely delete “udsjaqsksw.dlls” as well if still present and fall back to a second password generation algorithm. The second algorithm will calculate the second password based on the boot drive’s volume id, similar to variant 2. While it is possible to generate the second password with ease, it is almost impossible to recover the first password due to the random nature and secure deletion.

So i think there is no way to unlock the files.

And here is one of the best descriptions I have seen of the development of this ransomware. It has not yet been updated to take account of the "Version 2.0" variant.

http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-server...

Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

Hi, in other mail, Dr.Web say:

We are able to decrypt enciphered files in case you have any of these two files:

<file names redacted - see post below>

If anyone needs to know what these files are, please send me a PM - Hayton


If these files do not exist, unfortunately, we cannot retrieve the password

In my case, i haven't those files....

Message was edited by: Hayton on 27/06/13 15:18:04 IST
Highlighted
Reliable Contributor exbrit
Reliable Contributor
Report Inappropriate Content
Message 15 of 20

Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

Are you sure, have you enabled view hidden files and folders and system files in Folder Options > View?

Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 16 of 20

Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

soporte-arsenet wrote:

Hi, in other mail, Dr.Web say:

We are able to decrypt enciphered files in case you have any of these two files:

<redacted>

If these files do not exist, unfortunately, we cannot retrieve the password

In my case, i haven't those files....

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protectio...

From Post #206 :

Just send any encrypted file to Dr Web initially, they will respond by asking you for some more files and information from the infected hard drive.

BTW I advise people not to post any specific information publicly about Dr Web's methods or files required, we don't want to help any malware authors see how their password is being recovered

Message was edited by: Hayton on 27/06/13 15:15:12 IST

Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

ESET mail (in Spanish). Currently is not possible to recover files.

Buenas tardes,

El motivo de este correo es para indicarle que hemos recibido una contestaciónpor parte de nuestros laboratorios respecto al Anti-child Porn Spam Protection.

Después de haber analizado todas las muestras enviadas por todos los usuariosafectados y los registros proporcionados tras ejecutar el programa dedescifrado, nuestros laboratorios nos han confirmado la imposibilidad dedescifrar los archivos afectados debido a la mejora del algoritmo de cifradoutilizado, por lo que NO es posible encontrar la clave para poder descifrar losarchivos afectados por el ataque.
Únicamente en algunos pocos casos ha sido posible recuperar correos y otro tipode documentos, pero nunca bases de datos o backups afectados por estainfección.

Lamentamos profundamente no haber podido encontrar una solución a este cifradoy no haberle podido ayudar a recuperar los archivos afectados. Tanto desde loslaboratorios de ESET como desde el departamento técnico de ESET España, vamos aseguir investigando y trabajando para que los administradores de red y nuestrosclientes conozcan los riesgos a los que están expuestos, tanto equipos comoservidores como en equipos clientes, e intenten aumentar la seguridad de sussistemas aplicando las políticas de seguridad que sean necesarias.

El cifrado utilizado en estos casos ha sido AES de 128 bits. Respecto a estetipo de cifrado os podemos indicar que romper la clave por fuerza bruta esabsolutamente inviable.
Por otra parte, es importante remarcar que este ransomware es totalmentedetectado y eliminado por los productos de seguridad de ESET desde 2012.

En estos casos, que el sistema se haya visto afectado por la infección ha sidoposible debido a la desinstalación/desactivación, previa a la infección, delproducto antivirus, sea cual sea, explotando la siguiente vulnerabilidad ytambién por el uso de contraseñas débiles en usuarios con acceso a losservidores. Por ello, las tareas de mantenimiento y securización de servidorescríticos se deben realizar de forma continua para evitar estas situacionesindeseables, siguiendo los consejos que mostramos al final de este texto yteniendo en cuenta que el antivirus no debe ser el único método de protecciónpara estos sistemas.


Para evitar futuros ataques de este tipo, desde el departamento técnico de ESETNOD32 en España aconsejamos realizar las siguientes acciones:

- Cambiar el puerto por defecto que utiliza Terminal Server (3389) por otro queno esté siendo utilizado.

- Aplicar los parches de Microsoft disponibles para servidores Windows 2003Server y superiores sobre todo, los que afecten al escritorio remoto.
http://technet.microsoft.com/es-es/security/bulletin/ms13-029

- Comprobar las diferentes cuentas de acceso al sistema y eliminar odeshabilitar aquellas que no sean necesarias, sobre todo las que tengan accesoa escritorio remoto.

- Cambiar las contraseñas de acceso. Es fundamental utilizar contraseñasrobustas (es aconsejable utilizar números, mayúsculas, símbolos y además unalongitud de 12 caracteres como mínimo) para al menos dificultar lo máximoposible que el ataque de fuerza bruta rompa tu seguridad.

- Disponer como mínimo de dos copias de seguridad a la vez y por lo menos unade ellas alojada en una ubicación diferente a la otra.

- Aplicar las copias de seguridad creadas en el sistema o un sistema replicado,de forma eventual, para comprobar que estas copias se realizan de forma correctapor si se necesitasen más adelante.

- Proteger con contraseña la desinstalación de los productos ESET, tanto enequipos clientes como en servidores. http://kb.eset.com/esetkb/index?page=content&id=SOLN2133&viewlocale=es_ES
Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 18 of 20

Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

English translation of the communication from Dr Web :

Good afternoon,

The reason for this email is to indicate that we have received a reply from our laboratories regarding child Porn Anti-Spam Protection.

After analyzing all samples submitted for all affected users and records provided after running the decryption program, our laboratories have confirmed the inability to decrypt the files affected due to improved encryption algorithm used, so NO you can find the key to decrypt the files affected by the attack.

Only in a few cases it has been possible to recover emails and other documents, but never databases or backups affected by this infection.

We deeply regret not being able to find a solution to this figure could give him no help restore the affected files. Both from ESET's labs and from the technical department of ESET Spain, we gain sufficient assurance researching and working for network administrators and customers are aware of the risks they are exposed, both equipment and servers and client computers, and try to increase security of their systems by applying security policies as needed.

The encryption used in these cases was 128-bit AES. Regarding this type of encryption you can indicate that breaking the key by brute force is absolutely unfeasible.

Moreover, it is important to note that this ransomware is fully detected and removed by ESET security products since 2012.

In these cases, the system has been affected by the infection has been possible due to the removal / deactivation prior to infection, antivirus product, whatever, exploiting the following vulnerabilities and also by the use of weak passwords users with access to the servers. Therefore, maintenance and server hardening is critical to be performed continuously to avoid these undesirable situations, following the advice shown at the end of this text and taking into account the Security should not be the only method of protection for these systems.

To prevent future attacks of this type, from the technical department ESETNOD32 in Spain suggest the following actions:

  • Change the default port used by Terminal Server (3389) with one that is not being used.
  • Apply patches from Microsoft available for Windows Server 2003 Server and above especially those involving the remote desktop.

          http://technet.microsoft.com/es-es/security/bulletin/ms13-029

  • Inspect the system access accounts and delete or disable those that are not necessary, especially those with remote desktop access here.
  • Change passwords. It is essential to use strong passwords (we recommend using numbers, uppercase letters, symbols and also a length of 12 characters minimum) for at least difficult as possible to brute force attack break your security.
  • Have at least two backups at a time and at least oneof them housed in a different location to the other.
  • Apply the backups created in the system or replicated system, so eventually, to check that these copies are made correctly in case they were needed later.
  • Password protect uninstallation of ESET products, both client computers and servers. http://kb.eset.com/esetkb/index?page=content&id=SOLN2133&viewlocale=es_ES

Message was edited by: Hayton on 02/07/13 20:29:43 IST

Message was edited by: Hayton on 05/07/13 13:39:01 IST
Reliable Contributor Hayton
Reliable Contributor
Report Inappropriate Content
Message 19 of 20

Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

using rar AES archives with very strong password and this is unreal to crack. If you don't believe read forums about rar - there are only one way to crack it - use bruteforce, but this is only in theory, because to brute passwords like used by us it's need trillions years even if you will use all computers in the World.

The encryption used in these cases was 128-bit AES.  Regarding this type of encryption you can indicate that breaking the key by brute force is absolutely unfeasible.

http://www.computerworld.com/s/article/9240475/With_BlackBerry_reportedly_hacked_is_anything_secure :

Low-cost GPUs (graphical processer units) that are being configured into massively parallel systems are far better at code-breaking than traditional CPUs. When the encryption algorithms were originally created, people reported it would take tens or hundreds of years in brute-force computing power to break them. But they never envisioned the relatively cheap, massively parallel systems available today using hundreds or thousands of NVidia or AMD GPU cores. These parallel processing machines are really effective at finding patterns and hence decrypting data streams.

The biggest problem here is that the encryption is unique for each affected system. I see decryption codes published in various technical forums followed by disappointed posts saying someone else has tried to use them and they didn't work. Most of the infected servers, for some reason, seem to be in Spanish-speaking countries. At least, most of the forums where this is being discussed are in Spanish. One example is http://www.forospyware.com/t463442.html.

Since none of the anti-virus companies, nor indeed any of the security researchers, has yet claimed to be able to break the encryption algorithm used by this attacker, perhaps it's time to 'think out of the box'.

The only organisation I know of in the Western hemisphere (1) which has the people, the skills, and the resources to undertake the decryption of your data is the US National Security Agency, the NSA. Why not contact them and ask if they would be willing to do this as a Public Relations exercise? They might charge you for doing it, but if they could use this for publicity purposes they would gain a lot of brownie points - and if that doesn't translate too well into Spanish let's say that they might consider it useful as a way of repairing their public image after certain recent disclosures. Of course they might only consider doing this for US companies .... or, considering their remit, for non-US companies.

It's only an idea, but it might just produce a good result. I might even ask them myself.

Here are some links to their website.

http://www.nsa.gov/about/index.shtml

http://www.nsa.gov/public_info/contacts/#public

(1) Okay, not quite the only one. GCHQ could do it, but wouldn't. The French might, but definitely would not. And the Russians almost certainly could. None of them though needs to repair their public image at the moment, whereas perhaps the NSA does.


Message was edited by: Hayton on 05/07/13 14:55:05 IST

Re: Anti porn child spam protection 2.0 - ransomware - ACCDFISA

Yes, I have searched meticulously, hidden files included.