New threat targeting Windows servers

[tezza]

A few weeks ago our colleagues over at BleepingComputer approached us asking for help with a recent malware outbreak that specifically targets Windows servers. Several companies as well as individuals found their servers being locked by a malware that claims to originate from the “Anti Cyber Crime Department of Federal Internet Security Agency” or short “ACCDFISA”. Of course such an institution does not exist and even if it did, it surely wouldn’t ask the owner of the server to submit a certain dollar amount using PaySafeCard or MoneyPak codes. The affected servers fell prey to a new malware family that is currently on the loose.

The ACCDFISA malware family belongs to a malware category called “ransomware”. Ransomware is a special kind of malware that takes a system and its data hostage in an attempt to extort money from its owner in exchange for returning control back to him. What makes the ACCDFISA family special is the unorthodox way in which systems get infected as well as how various third party tools are used to accomplish the malware family’s goals.

How are systems infected?

Unlike most malware nowadays, ACCDFISA does not use drive-by or social engineering attacks to infect a system. It is instead installed manually by the attacker himself. The attacker targets Windows systems running the Remote Desktop or Terminal Services, which is usually the case for remotely maintained Windows servers. Based on traces found on some of the infected machines, the attacker is using a tool called “DUBrute” to find systems running either of the aforementioned services. The tool will then go ahead and launch a dictionary based brute force attack on those systems. Based on log files of infected systems it seems the following user accounts are attacked:

How can systems be protected from this kind of malware?

Due to the nature of the attack protection software is rather ineffective. If the attacker manages to get access to the system via remote control, he can simply disable any protection software installed or add the malware to the protection software’s exclusion list. It therefore is imperative to prevent the attacker from gaining access to the system to begin with.

The most important line of defense is a proper password policy that is enforced for all user accounts with remote access to the system. This does apply to rarely used accounts created for testing purposes or by applications as well.

Even better would be to disable Remote Desktop or Terminal Services completely if not required or at least to use IP address based restrictions to allow the access to these services from trusted networks only.

Full article and detais

http://blog.emsisoft.com/2012/04/11/the-accdfisa-malware-family-ransomware-targetting-windows-servers/