SlideShare a Scribd company logo

Scare Ware From Ireland

Brian Honan
Brian Honan

The document discusses scareware and an incident involving scareware originating from Ireland. Scareware tricks users into believing their computer is infected in order to get them to purchase fake anti-virus software. The incident involved websites hosting scareware that would redirect users through a chain of other compromised sites before serving scareware files. Security professionals used various forensic tools to analyze the scareware and handle the incident by containing the infection, eradicating it from affected systems, and helping users recover while also learning lessons to prevent future incidents.

TechnologyBusiness
1 of 25
Download to read offline
Scareware From Ireland Mark Hillick IrissCert I id t H dl I i C t Incident Handler http://www.iriss.ie mark.hillick@iriss.ie Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 1
What is Scareware? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 2
Irish Scareware Exploit Browse to Irish website & collect your fake anti- virus Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 3
Dialog box fun Dialog-box fun….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 4
Dialog box Dialog-box fun cont cont….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 5
System Scan Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 6
Trojan Log file Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 7
Money, Money please! Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 8
Are you sure? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 9
Are you mad???? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 10
BSOD Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 11
Effect on the end-user end user…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 12
Exploit  Exploited Sites hosted on one server  Microsoft FTPd & IIS 6.0 60 Two most popular web site attacks –  Gumblar PHP Sites  Asprox SQL Injection Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 13
Pass the Parcel http://compromisedsite.ie  http://jobstopfil.biz http://poppka.net  htt // j tli http://sujetline.ru  http://grownclubfest.ru ttp //g o c ub est u  PDF & SWF files served back Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 14
Obfuscation Engaged SANS ISC Malware Team  Heavily obfuscated javascript  Used techniques not seen before Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 15
Complex Design…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 16
Tools Used Tamper Data, Live HTTP Headers – Firefox Burp Suite Tcpdump, Tcpdump Wireshark & Netwitness Dig/nslookup Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 17
Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif p // /g y/p / g © Warner Bros. Entertainment Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 18
Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 19
Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 20
Incident Handling - Lessons Learned Patch web-server & application  Input validation p Close unnecessary open ports (e g FTP) (e.g. Password Policy Regular back-ups Web-app security testing Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 21
Securing the Desktop End-User Defence Rescue CDs  Google -> “rescue site:raymond cc” > rescue site:raymond.cc Free Tools  http://zeltser.com/fighting-malicious-software/ Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 22
Next Steps & Extra Info Sans GCIH Gold Paper  Scareware & its evolution  Incident Handling Process  Full Incident Report  http://www.iriss.ie – in shared documents  http://www.hillick.net/things/scareware.doc http://www hillick net/things/scareware doc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 23
References  Sunbelt Blog  Dancho Danchev Blog  SANS ISC (Thanks to @bojanz)  VRT-Sourcefire Blog  Symantec White Papers  Sans Forensics Blog Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 24
That s it..... That's it Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/questions.gif Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 25

Recommended

Scareware - Irisscon 2009
Scareware - Irisscon 2009Scareware - Irisscon 2009
Scareware - Irisscon 2009
Mark Hillick
 
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeExtreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
EC-Council
 
Malta InSafe 2013 links
Malta InSafe 2013 linksMalta InSafe 2013 links
Malta InSafe 2013 links
Louise Jones
 
Info secvoip
Info secvoipInfo secvoip
Info secvoip
Quobis
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
NSC42 Ltd
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?
DefCamp
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Vladyslav Radetsky
 
Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014 Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014
Marc Lijour, OCT, BSc, MBA
 

Recommended

Scareware - Irisscon 2009
Scareware - Irisscon 2009Scareware - Irisscon 2009
Scareware - Irisscon 2009
Mark Hillick
 
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeExtreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
EC-Council
 
Malta InSafe 2013 links
Malta InSafe 2013 linksMalta InSafe 2013 links
Malta InSafe 2013 links
Louise Jones
 
Info secvoip
Info secvoipInfo secvoip
Info secvoip
Quobis
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
NSC42 Ltd
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?
DefCamp
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Vladyslav Radetsky
 
Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014 Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014
Marc Lijour, OCT, BSc, MBA
 
Knowing Me Knowing You
Knowing Me Knowing YouKnowing Me Knowing You
Knowing Me Knowing You
Brian Honan
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
Brian Honan
 
Juliana New York
Juliana New YorkJuliana New York
Juliana New York
guest3c3576
 
KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7
phuphax
 
Recipes From Italy
Recipes From ItalyRecipes From Italy
Recipes From Italy
Tiina Sarisalmi
 
Idea
IdeaIdea
Idea
guest4570edb
 
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaCineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Marco Contini
 
How to add a canvas to your image
How to add a canvas to your imageHow to add a canvas to your image
How to add a canvas to your image
Sirron Carrector
 
Aubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeAubergine Parmigiana - Recipe
Aubergine Parmigiana - Recipe
Tiina Sarisalmi
 
Denver Green Car Presentation
Denver Green Car PresentationDenver Green Car Presentation
Denver Green Car Presentation
banovsky
 
Orivesi - Down the Mainstreet
Orivesi - Down the MainstreetOrivesi - Down the Mainstreet
Orivesi - Down the Mainstreet
Tiina Sarisalmi
 
Ic Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhIc Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp Bh
Brian Honan
 
eTwinning Professional Development 2011
eTwinning Professional Development 2011eTwinning Professional Development 2011
eTwinning Professional Development 2011
Tiina Sarisalmi
 
Learning from History
Learning from HistoryLearning from History
Learning from History
Brian Honan
 
Virtaa Voimaa Vauhtia
Virtaa Voimaa VauhtiaVirtaa Voimaa Vauhtia
Virtaa Voimaa Vauhtia
Tiina Sarisalmi
 
Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016
Tiina Sarisalmi
 
Video Game Console
Video Game ConsoleVideo Game Console
Video Game Console
judah43
 
Will Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg InvitationWill Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg Invitation
cbradley
 
NCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesNCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiences
Vincent Guigui
 
Hazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingHazcrowd for Crowdsourcing
Hazcrowd for Crowdsourcing
Tristan Cooke
 
Lec21 security
Lec21 securityLec21 security
Lec21 security
imran6994
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CD
Tiffany Jachja
 

More Related Content

Viewers also liked

Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaCineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Marco Contini
 
How to add a canvas to your image
How to add a canvas to your imageHow to add a canvas to your image
How to add a canvas to your image
Sirron Carrector
 
Aubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeAubergine Parmigiana - Recipe
Aubergine Parmigiana - Recipe
Tiina Sarisalmi
 
Orivesi - Down the Mainstreet
Orivesi - Down the MainstreetOrivesi - Down the Mainstreet
Orivesi - Down the Mainstreet
Tiina Sarisalmi
 
eTwinning Professional Development 2011
eTwinning Professional Development 2011eTwinning Professional Development 2011
eTwinning Professional Development 2011
Tiina Sarisalmi
 
Video Game Console
Video Game ConsoleVideo Game Console
Video Game Console
judah43
 
Hazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingHazcrowd for Crowdsourcing
Hazcrowd for Crowdsourcing
Tristan Cooke
 

Viewers also liked (20)

Knowing Me Knowing You
Knowing Me Knowing YouKnowing Me Knowing You
Knowing Me Knowing You
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
 
Juliana New York
Juliana New YorkJuliana New York
Juliana New York
 
KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7
 
Recipes From Italy
Recipes From ItalyRecipes From Italy
Recipes From Italy
 
Idea
IdeaIdea
Idea
 
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaCineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
 
How to add a canvas to your image
How to add a canvas to your imageHow to add a canvas to your image
How to add a canvas to your image
 
Aubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeAubergine Parmigiana - Recipe
Aubergine Parmigiana - Recipe
 
Denver Green Car Presentation
Denver Green Car PresentationDenver Green Car Presentation
Denver Green Car Presentation
 
Orivesi - Down the Mainstreet
Orivesi - Down the MainstreetOrivesi - Down the Mainstreet
Orivesi - Down the Mainstreet
 
Ic Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhIc Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp Bh
 
eTwinning Professional Development 2011
eTwinning Professional Development 2011eTwinning Professional Development 2011
eTwinning Professional Development 2011
 
Learning from History
Learning from HistoryLearning from History
Learning from History
 
Virtaa Voimaa Vauhtia
Virtaa Voimaa VauhtiaVirtaa Voimaa Vauhtia
Virtaa Voimaa Vauhtia
 
Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016
 
Video Game Console
Video Game ConsoleVideo Game Console
Video Game Console
 
Will Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg InvitationWill Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg Invitation
 
NCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesNCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiences
 
Hazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingHazcrowd for Crowdsourcing
Hazcrowd for Crowdsourcing
 

Similar to Scare Ware From Ireland

Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CD
Tiffany Jachja
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
NSC42 Ltd
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
arrenfill
 
my lecture 21.network security.2023.ppt
my lecture 21.network security.2023.pptmy lecture 21.network security.2023.ppt
my lecture 21.network security.2023.ppt
halosidiq1
 

Similar to Scare Ware From Ireland (20)

Lec21 security
Lec21 securityLec21 security
Lec21 security
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CD
 
How to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap AnalysisHow to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap Analysis
 
Internet security: a landscape of unintended consequences
Internet security: a landscape of unintended consequencesInternet security: a landscape of unintended consequences
Internet security: a landscape of unintended consequences
 
Presentation cisco iron port product family
Presentation cisco iron port product familyPresentation cisco iron port product family
Presentation cisco iron port product family
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
 
During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...
 
Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
Drones in real time communication - AVAYA
Drones in real time communication - AVAYADrones in real time communication - AVAYA
Drones in real time communication - AVAYA
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
 
Brksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-securityBrksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-security
 
20181116.smart can cable_v2
20181116.smart can cable_v220181116.smart can cable_v2
20181116.smart can cable_v2
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
 
network.ppt
network.pptnetwork.ppt
network.ppt
 
my lecture 21.network security.2023.ppt
my lecture 21.network security.2023.pptmy lecture 21.network security.2023.ppt
my lecture 21.network security.2023.ppt
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
 
Network Security
Network SecurityNetwork Security
Network Security
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
 

More from Brian Honan

How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Brian Honan
 

More from Brian Honan (18)

Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynote
 
GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?
 
Ransomware Prevention Guide
Ransomware Prevention GuideRansomware Prevention Guide
Ransomware Prevention Guide
 
Brian honan
Brian honanBrian honan
Brian honan
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internet
 
Data security brian honan
Data security brian honanData security brian honan
Data security brian honan
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...
 
Incident Response in the Cloud
Incident Response in the CloudIncident Response in the Cloud
Incident Response in the Cloud
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Bridging the air gap
Bridging the air gapBridging the air gap
Bridging the air gap
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
 
Incident response cloud
Incident response cloudIncident response cloud
Incident response cloud
 
Preparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident ResponsePreparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident Response
 
Cloud security
Cloud securityCloud security
Cloud security
 
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & ScreenLayer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
 
Creating a CERT at WARP Speed
Creating a CERT at WARP SpeedCreating a CERT at WARP Speed
Creating a CERT at WARP Speed
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure Laws
 
Hot Topics For 2010
Hot Topics For 2010Hot Topics For 2010
Hot Topics For 2010
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Recently uploaded (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Scare Ware From Ireland

  • 1. Scareware From Ireland Mark Hillick IrissCert I id t H dl I i C t Incident Handler http://www.iriss.ie mark.hillick@iriss.ie Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 1
  • 2. What is Scareware? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 2
  • 3. Irish Scareware Exploit Browse to Irish website & collect your fake anti- virus Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 3
  • 4. Dialog box fun Dialog-box fun….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 4
  • 5. Dialog box Dialog-box fun cont cont….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 5
  • 6. System Scan Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 6
  • 7. Trojan Log file Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 7
  • 8. Money, Money please! Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 8
  • 9. Are you sure? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 9
  • 10. Are you mad???? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 10
  • 11. BSOD Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 11
  • 12. Effect on the end-user end user…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 12
  • 13. Exploit  Exploited Sites hosted on one server  Microsoft FTPd & IIS 6.0 60 Two most popular web site attacks –  Gumblar PHP Sites  Asprox SQL Injection Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 13
  • 14. Pass the Parcel http://compromisedsite.ie  http://jobstopfil.biz http://poppka.net  htt // j tli http://sujetline.ru  http://grownclubfest.ru ttp //g o c ub est u  PDF & SWF files served back Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 14
  • 15. Obfuscation Engaged SANS ISC Malware Team  Heavily obfuscated javascript  Used techniques not seen before Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 15
  • 16. Complex Design…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 16
  • 17. Tools Used Tamper Data, Live HTTP Headers – Firefox Burp Suite Tcpdump, Tcpdump Wireshark & Netwitness Dig/nslookup Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 17
  • 18. Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif p // /g y/p / g © Warner Bros. Entertainment Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 18
  • 19. Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 19
  • 20. Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 20
  • 21. Incident Handling - Lessons Learned Patch web-server & application  Input validation p Close unnecessary open ports (e g FTP) (e.g. Password Policy Regular back-ups Web-app security testing Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 21
  • 22. Securing the Desktop End-User Defence Rescue CDs  Google -> “rescue site:raymond cc” > rescue site:raymond.cc Free Tools  http://zeltser.com/fighting-malicious-software/ Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 22
  • 23. Next Steps & Extra Info Sans GCIH Gold Paper  Scareware & its evolution  Incident Handling Process  Full Incident Report  http://www.iriss.ie – in shared documents  http://www.hillick.net/things/scareware.doc http://www hillick net/things/scareware doc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 23
  • 24. References  Sunbelt Blog  Dancho Danchev Blog  SANS ISC (Thanks to @bojanz)  VRT-Sourcefire Blog  Symantec White Papers  Sans Forensics Blog Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 24
  • 25. That s it..... That's it Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/questions.gif Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 25