More Related Content Similar to Scare Ware From Ireland (20) More from Brian Honan (18) Scare Ware From Ireland1. Scareware From Ireland
Mark Hillick
IrissCert I id t H dl
I i C t Incident Handler
http://www.iriss.ie
mark.hillick@iriss.ie
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 1
2. What is Scareware?
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 2
3. Irish Scareware Exploit
Browse to Irish website & collect your fake anti-
virus
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 3
6. System Scan
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 6
7. Trojan Log file
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 7
9. Are you sure?
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 9
10. Are you mad????
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 10
11. BSOD
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 11
12. Effect on the end-user
end user….
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 12
13. Exploit
Exploited Sites hosted on one server
Microsoft FTPd & IIS 6.0
60
Two most popular web site attacks –
Gumblar
PHP Sites
Asprox
SQL Injection
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 13
14. Pass the Parcel
http://compromisedsite.ie
http://jobstopfil.biz
http://poppka.net
htt // j tli
http://sujetline.ru
http://grownclubfest.ru
ttp //g o c ub est u
PDF & SWF files served back
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 14
15. Obfuscation
Engaged SANS ISC Malware Team
Heavily obfuscated javascript
Used techniques not seen before
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 15
16. Complex Design….
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 16
17. Tools Used
Tamper Data, Live HTTP Headers – Firefox
Burp Suite
Tcpdump,
Tcpdump Wireshark & Netwitness
Dig/nslookup
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 17
18. Incident Handling - Containment
Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif
p // /g y/p / g
© Warner Bros. Entertainment Inc.
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 18
19. Incident Handling - Eradication
Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 19
20. Incident Handling - Recovery
Dilbert ©2009, United Feature Syndicate, Inc.
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 20
21. Incident Handling - Lessons Learned
Patch web-server & application
Input validation
p
Close unnecessary open ports (e g FTP)
(e.g.
Password Policy
Regular back-ups
Web-app security testing
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 21
22. Securing the Desktop
End-User Defence
Rescue CDs
Google -> “rescue site:raymond cc”
> rescue site:raymond.cc
Free Tools
http://zeltser.com/fighting-malicious-software/
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 22
23. Next Steps & Extra Info
Sans GCIH Gold Paper
Scareware & its evolution
Incident Handling Process
Full Incident Report
http://www.iriss.ie – in shared documents
http://www.hillick.net/things/scareware.doc
http://www hillick net/things/scareware doc
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 23
24. References
Sunbelt Blog
Dancho Danchev Blog
SANS ISC (Thanks to @bojanz)
VRT-Sourcefire Blog
Symantec White Papers
Sans Forensics Blog
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 24
25. That s it.....
That's it
Hat Tip for image - Jesse M. Heines -
http://teaching.cs.uml.edu/~heines/images/questions.gif
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 25