SlideShare a Scribd company logo

Scare Ware From Ireland

Brian Honan
Brian Honan

The document discusses scareware and an incident involving scareware originating from Ireland. Scareware tricks users into believing their computer is infected in order to get them to purchase fake anti-virus software. The incident involved websites hosting scareware that would redirect users through a chain of other compromised sites before serving scareware files. Security professionals used various forensic tools to analyze the scareware and handle the incident by containing the infection, eradicating it from affected systems, and helping users recover while also learning lessons to prevent future incidents.

TechnologyBusiness
1 of 25
Download to read offline
Scareware From Ireland Mark Hillick IrissCert I id t H dl I i C t Incident Handler http://www.iriss.ie mark.hillick@iriss.ie Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 1
What is Scareware? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 2
Irish Scareware Exploit Browse to Irish website & collect your fake anti- virus Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 3
Dialog box fun Dialog-box fun….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 4
Dialog box Dialog-box fun cont cont….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 5
System Scan Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 6
Trojan Log file Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 7
Money, Money please! Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 8
Are you sure? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 9
Are you mad???? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 10
BSOD Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 11
Effect on the end-user end user…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 12
Exploit  Exploited Sites hosted on one server  Microsoft FTPd & IIS 6.0 60 Two most popular web site attacks –  Gumblar PHP Sites  Asprox SQL Injection Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 13
Pass the Parcel http://compromisedsite.ie  http://jobstopfil.biz http://poppka.net  htt // j tli http://sujetline.ru  http://grownclubfest.ru ttp //g o c ub est u  PDF & SWF files served back Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 14
Obfuscation Engaged SANS ISC Malware Team  Heavily obfuscated javascript  Used techniques not seen before Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 15
Complex Design…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 16
Tools Used Tamper Data, Live HTTP Headers – Firefox Burp Suite Tcpdump, Tcpdump Wireshark & Netwitness Dig/nslookup Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 17
Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif p // /g y/p / g © Warner Bros. Entertainment Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 18
Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 19
Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 20
Incident Handling - Lessons Learned Patch web-server & application  Input validation p Close unnecessary open ports (e g FTP) (e.g. Password Policy Regular back-ups Web-app security testing Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 21
Securing the Desktop End-User Defence Rescue CDs  Google -> “rescue site:raymond cc” > rescue site:raymond.cc Free Tools  http://zeltser.com/fighting-malicious-software/ Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 22
Next Steps & Extra Info Sans GCIH Gold Paper  Scareware & its evolution  Incident Handling Process  Full Incident Report  http://www.iriss.ie – in shared documents  http://www.hillick.net/things/scareware.doc http://www hillick net/things/scareware doc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 23
References  Sunbelt Blog  Dancho Danchev Blog  SANS ISC (Thanks to @bojanz)  VRT-Sourcefire Blog  Symantec White Papers  Sans Forensics Blog Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 24
That s it..... That's it Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/questions.gif Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 25

Recommended

Scareware - Irisscon 2009
Scareware - Irisscon 2009Scareware - Irisscon 2009
Scareware - Irisscon 2009
Mark Hillick
 
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeExtreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
EC-Council
 
Malta InSafe 2013 links
Malta InSafe 2013 linksMalta InSafe 2013 links
Malta InSafe 2013 links
Louise Jones
 
Info secvoip
Info secvoipInfo secvoip
Info secvoip
Quobis
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
NSC42 Ltd
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?
DefCamp
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Vladyslav Radetsky
 
Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014 Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014
Marc Lijour, OCT, BSc, MBA
 

Recommended

Scareware - Irisscon 2009
Scareware - Irisscon 2009Scareware - Irisscon 2009
Scareware - Irisscon 2009
Mark Hillick
 
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeExtreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
EC-Council
 
Malta InSafe 2013 links
Malta InSafe 2013 linksMalta InSafe 2013 links
Malta InSafe 2013 links
Louise Jones
 
Info secvoip
Info secvoipInfo secvoip
Info secvoip
Quobis
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
NSC42 Ltd
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?
DefCamp
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Vladyslav Radetsky
 
Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014 Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014
Marc Lijour, OCT, BSc, MBA
 
Knowing Me Knowing You
Knowing Me Knowing YouKnowing Me Knowing You
Knowing Me Knowing You
Brian Honan
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
Brian Honan
 
Juliana New York
Juliana New YorkJuliana New York
Juliana New York
guest3c3576
 
KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7
phuphax
 
Recipes From Italy
Recipes From ItalyRecipes From Italy
Recipes From Italy
Tiina Sarisalmi
 
Idea
IdeaIdea
Idea
guest4570edb
 
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaCineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Marco Contini
 
How to add a canvas to your image
How to add a canvas to your imageHow to add a canvas to your image
How to add a canvas to your image
Sirron Carrector
 
Aubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeAubergine Parmigiana - Recipe
Aubergine Parmigiana - Recipe
Tiina Sarisalmi
 
Denver Green Car Presentation
Denver Green Car PresentationDenver Green Car Presentation
Denver Green Car Presentation
banovsky
 
Orivesi - Down the Mainstreet
Orivesi - Down the MainstreetOrivesi - Down the Mainstreet
Orivesi - Down the Mainstreet
Tiina Sarisalmi
 
Ic Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhIc Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp Bh
Brian Honan
 
eTwinning Professional Development 2011
eTwinning Professional Development 2011eTwinning Professional Development 2011
eTwinning Professional Development 2011
Tiina Sarisalmi
 
Learning from History
Learning from HistoryLearning from History
Learning from History
Brian Honan
 
Virtaa Voimaa Vauhtia
Virtaa Voimaa VauhtiaVirtaa Voimaa Vauhtia
Virtaa Voimaa Vauhtia
Tiina Sarisalmi
 
Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016
Tiina Sarisalmi
 
Video Game Console
Video Game ConsoleVideo Game Console
Video Game Console
judah43
 
Will Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg InvitationWill Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg Invitation
cbradley
 
NCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesNCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiences
Vincent Guigui
 
Hazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingHazcrowd for Crowdsourcing
Hazcrowd for Crowdsourcing
Tristan Cooke
 
Lec21 security
Lec21 securityLec21 security
Lec21 security
imran6994
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CD
Tiffany Jachja
 

More Related Content

Viewers also liked

Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaCineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Marco Contini
 
How to add a canvas to your image
How to add a canvas to your imageHow to add a canvas to your image
How to add a canvas to your image
Sirron Carrector
 
Aubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeAubergine Parmigiana - Recipe
Aubergine Parmigiana - Recipe
Tiina Sarisalmi
 
Orivesi - Down the Mainstreet
Orivesi - Down the MainstreetOrivesi - Down the Mainstreet
Orivesi - Down the Mainstreet
Tiina Sarisalmi
 
eTwinning Professional Development 2011
eTwinning Professional Development 2011eTwinning Professional Development 2011
eTwinning Professional Development 2011
Tiina Sarisalmi
 
Video Game Console
Video Game ConsoleVideo Game Console
Video Game Console
judah43
 
Hazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingHazcrowd for Crowdsourcing
Hazcrowd for Crowdsourcing
Tristan Cooke
 

Viewers also liked (20)

Knowing Me Knowing You
Knowing Me Knowing YouKnowing Me Knowing You
Knowing Me Knowing You
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
 
Juliana New York
Juliana New YorkJuliana New York
Juliana New York
 
KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7
 
Recipes From Italy
Recipes From ItalyRecipes From Italy
Recipes From Italy
 
Idea
IdeaIdea
Idea
 
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaCineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
 
How to add a canvas to your image
How to add a canvas to your imageHow to add a canvas to your image
How to add a canvas to your image
 
Aubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeAubergine Parmigiana - Recipe
Aubergine Parmigiana - Recipe
 
Denver Green Car Presentation
Denver Green Car PresentationDenver Green Car Presentation
Denver Green Car Presentation
 
Orivesi - Down the Mainstreet
Orivesi - Down the MainstreetOrivesi - Down the Mainstreet
Orivesi - Down the Mainstreet
 
Ic Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhIc Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp Bh
 
eTwinning Professional Development 2011
eTwinning Professional Development 2011eTwinning Professional Development 2011
eTwinning Professional Development 2011
 
Learning from History
Learning from HistoryLearning from History
Learning from History
 
Virtaa Voimaa Vauhtia
Virtaa Voimaa VauhtiaVirtaa Voimaa Vauhtia
Virtaa Voimaa Vauhtia
 
Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016
 
Video Game Console
Video Game ConsoleVideo Game Console
Video Game Console
 
Will Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg InvitationWill Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg Invitation
 
NCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesNCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiences
 
Hazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingHazcrowd for Crowdsourcing
Hazcrowd for Crowdsourcing
 

Similar to Scare Ware From Ireland

Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CD
Tiffany Jachja
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
NSC42 Ltd
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
arrenfill
 
my lecture 21.network security.2023.ppt
my lecture 21.network security.2023.pptmy lecture 21.network security.2023.ppt
my lecture 21.network security.2023.ppt
halosidiq1
 

Similar to Scare Ware From Ireland (20)

Lec21 security
Lec21 securityLec21 security
Lec21 security
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CD
 
How to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap AnalysisHow to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap Analysis
 
Internet security: a landscape of unintended consequences
Internet security: a landscape of unintended consequencesInternet security: a landscape of unintended consequences
Internet security: a landscape of unintended consequences
 
Presentation cisco iron port product family
Presentation cisco iron port product familyPresentation cisco iron port product family
Presentation cisco iron port product family
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
 
During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...
 
Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
Drones in real time communication - AVAYA
Drones in real time communication - AVAYADrones in real time communication - AVAYA
Drones in real time communication - AVAYA
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
 
Brksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-securityBrksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-security
 
20181116.smart can cable_v2
20181116.smart can cable_v220181116.smart can cable_v2
20181116.smart can cable_v2
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
 
network.ppt
network.pptnetwork.ppt
network.ppt
 
my lecture 21.network security.2023.ppt
my lecture 21.network security.2023.pptmy lecture 21.network security.2023.ppt
my lecture 21.network security.2023.ppt
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
 
Network Security
Network SecurityNetwork Security
Network Security
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
 

More from Brian Honan

How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Brian Honan
 

More from Brian Honan (18)

Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynote
 
GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?
 
Ransomware Prevention Guide
Ransomware Prevention GuideRansomware Prevention Guide
Ransomware Prevention Guide
 
Brian honan
Brian honanBrian honan
Brian honan
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internet
 
Data security brian honan
Data security brian honanData security brian honan
Data security brian honan
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...
 
Incident Response in the Cloud
Incident Response in the CloudIncident Response in the Cloud
Incident Response in the Cloud
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Bridging the air gap
Bridging the air gapBridging the air gap
Bridging the air gap
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
 
Incident response cloud
Incident response cloudIncident response cloud
Incident response cloud
 
Preparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident ResponsePreparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident Response
 
Cloud security
Cloud securityCloud security
Cloud security
 
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & ScreenLayer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
 
Creating a CERT at WARP Speed
Creating a CERT at WARP SpeedCreating a CERT at WARP Speed
Creating a CERT at WARP Speed
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure Laws
 
Hot Topics For 2010
Hot Topics For 2010Hot Topics For 2010
Hot Topics For 2010
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Recently uploaded (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Scare Ware From Ireland

  • 1. Scareware From Ireland Mark Hillick IrissCert I id t H dl I i C t Incident Handler http://www.iriss.ie mark.hillick@iriss.ie Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 1
  • 2. What is Scareware? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 2
  • 3. Irish Scareware Exploit Browse to Irish website & collect your fake anti- virus Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 3
  • 4. Dialog box fun Dialog-box fun….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 4
  • 5. Dialog box Dialog-box fun cont cont….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 5
  • 6. System Scan Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 6
  • 7. Trojan Log file Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 7
  • 8. Money, Money please! Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 8
  • 9. Are you sure? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 9
  • 10. Are you mad???? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 10
  • 11. BSOD Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 11
  • 12. Effect on the end-user end user…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 12
  • 13. Exploit  Exploited Sites hosted on one server  Microsoft FTPd & IIS 6.0 60 Two most popular web site attacks –  Gumblar PHP Sites  Asprox SQL Injection Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 13
  • 14. Pass the Parcel http://compromisedsite.ie  http://jobstopfil.biz http://poppka.net  htt // j tli http://sujetline.ru  http://grownclubfest.ru ttp //g o c ub est u  PDF & SWF files served back Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 14
  • 15. Obfuscation Engaged SANS ISC Malware Team  Heavily obfuscated javascript  Used techniques not seen before Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 15
  • 16. Complex Design…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 16
  • 17. Tools Used Tamper Data, Live HTTP Headers – Firefox Burp Suite Tcpdump, Tcpdump Wireshark & Netwitness Dig/nslookup Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 17
  • 18. Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif p // /g y/p / g © Warner Bros. Entertainment Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 18
  • 19. Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 19
  • 20. Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 20
  • 21. Incident Handling - Lessons Learned Patch web-server & application  Input validation p Close unnecessary open ports (e g FTP) (e.g. Password Policy Regular back-ups Web-app security testing Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 21
  • 22. Securing the Desktop End-User Defence Rescue CDs  Google -> “rescue site:raymond cc” > rescue site:raymond.cc Free Tools  http://zeltser.com/fighting-malicious-software/ Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 22
  • 23. Next Steps & Extra Info Sans GCIH Gold Paper  Scareware & its evolution  Incident Handling Process  Full Incident Report  http://www.iriss.ie – in shared documents  http://www.hillick.net/things/scareware.doc http://www hillick net/things/scareware doc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 23
  • 24. References  Sunbelt Blog  Dancho Danchev Blog  SANS ISC (Thanks to @bojanz)  VRT-Sourcefire Blog  Symantec White Papers  Sans Forensics Blog Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 24
  • 25. That s it..... That's it Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/questions.gif Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 25