Scareware - Irisscon 2009
•
0 likes•713 views
At the initial IrissCon, in 2009, I discussed the investigation, analysis and resolution of a Web Application attack that was part of a larger criminal scareware campaign.
Recommended
Recommended
More Related Content
What's hot
What's hot (12)
Viewers also liked
Viewers also liked (17)
Similar to Scareware - Irisscon 2009
Similar to Scareware - Irisscon 2009 (20)
More from Mark Hillick
More from Mark Hillick (9)
Recently uploaded
Recently uploaded (20)
Scareware - Irisscon 2009
- 1. Scareware From Ireland Mark Hillick IrissCert Incident Handler http://www.iriss.ie mark.hillick@iriss.ie Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 1
- 2. What is Scareware? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 2
- 3. Irish Scareware Exploit Browse to Irish website & collect your fake anti- virus Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 3
- 4. Dialog-box fun….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 4
- 5. Dialog-box fun cont….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 5
- 6. System Scan Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 6
- 7. Trojan Log file Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 7
- 8. Money, please! Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 8
- 9. Are you sure? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 9
- 10. Are you mad???? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 10
- 11. BSOD Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 11
- 12. Effect on the end-user…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 12
- 13. Exploit Exploited Sites hosted on one server Microsoft FTPd & IIS 6.0 Two most popular web site attacks – Gumblar PHP Sites Asprox SQL Injection Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 13
- 14. Pass the Parcel http://compromisedsite.ie http://jobstopfil.biz http://poppka.net http://sujetline.ru http://grownclubfest.ru PDF & SWF files served back Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 14
- 15. Obfuscation Engaged SANS ISC Malware Team Heavily obfuscated javascript Used techniques not seen before Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 15
- 16. Complex Design…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 16
- 17. Tools Used Tamper Data, Live HTTP Headers – Firefox Burp Suite Tcpdump, Wireshark & Netwitness Dig/nslookup Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 17
- 18. Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif © Warner Bros. Entertainment Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 18
- 19. Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 19
- 20. Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 20
- 21. Incident Handling - Lessons Learned Patch web-server & application Input validation Close unnecessary open ports (e.g. FTP) Password Policy Regular back-ups Web-app security testing Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 21
- 22. Securing the Desktop End-User Defence Rescue CDs Google -> “rescue site:raymond.cc” Free Tools http://zeltser.com/fighting-malicious-software/ Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 22
- 23. Next Steps & Extra Info Sans GCIH Gold Paper − Scareware & its evolution − Incident Handling Process Full Incident Report − http://www.iriss.ie – in shared documents − http://www.hillick.net/things/scareware.doc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 23
- 24. References Sunbelt Blog Dancho Danchev Blog SANS ISC (Thanks to @bojanz) VRT-Sourcefire Blog Symantec White Papers Sans Forensics Blog Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 24
- 25. That's it..... Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/ questions.gif Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 25
Editor's Notes
- Going to define scareware – Software scares end-user into thinking computer has an infection; 43 million fake anti-virus download attempts (June-July 09) – Symantec white paper Explain why criminals use Scareware and their motives. This is to give theaudience a reason to care about what you are talking about. Describe what happened to end-user computer Describe the infrastructure behind the scareware Describe the Exploit Describe how IRISS handled the incident Give some recommendations and resources for desktop controls Give References Answer questions throughout
- IRISS notified by a member. Confirmed it ourselves through testing and further through links with URL/IP/AV vendor and SANS ISC
- Dialog Box windows popping up everywhere to scare the end-user NB. – I was able to install AVG during it and sys Internals Tools.
- Dialog Box windows popping up everywhere to scare the end-user
- Looks very like leading anti-virus/anti-malware desktop solutions
- Log file – adding some reality, professionalism
- Does that not look the Verisign logo??? At this point, it’s “Game Over”.
- Are you sure? Seriously?
- At the last minute, I decide I was uncomfortable with paying the cash. It warns me – emphasises that I will be continuing UNPROTECTED. http://sunbeltblog.blogspot.com/2009/07/new-rogue-tactic-blue-screen-of.html - According to anti-spyware firm Sunbelt Software, this ‘Blue Screen of Death’ trick is a new trick from July 2009
- The return of the infamous BSOD……this surely has to panic end-users
- For the average end-user, this is the only conceivable output.
- We have no concrete facts around how the site was exploited, however, there were quite a few issues with servers from this web farm and they were running IIS6 on Windows. Most of the current attacks (confirmed with SANS ISC) are either performed with Gumblar or Asprox. Although the server was running IIS 6.0 the malware did not exploit IIS per se but rather used weak web appsecurity. Tie in with Eoin's talk later and also highlight where the problems lie. http://en.wikipedia.org/wiki/Gumblar Further information -
- This is what happened when the user accessed the site – multiple redirects to external sites that all host malware. Therefore, the Irish sites are termed as intermediaries for sites that serve malware. McAfee SiteAdvisor, TrustSource – no good PDF & SWF - do not exploit the latest 0-day but some older vulnerabilities (namely the Collab one and util.printf) Difficult to get sites closed down – complexity (slide 14 will expand on this further) Also highlight that the redirects can happen to any site? E.g. New York Times etc.
- Comment on the links we have with Sans ISC. Comment on the advanced skills that the ‘bad guys’ have!!
- Exploited sites in Ireland – Irish websites Redirects - Domains hosted in Russia - Russian name & registrar Grownclubfest.ru Poppka.net https://www.onlinepurchasesolution.com https://www.securebillingsoftware.com webst.ru – hosting company Still working on closing sites – still serving malware Servers physically located in China – Netcraft Payment URLs hosted in Canada, registered
- Summary of the tools that were used
- Contact Hosting Company/Owner Possible temporary take-down Make IRISS members away of malware code Encourage company to disclose to customers (hhhhmmm, keep in?) Inform SANS, AV, IP reputation sites & URL filtering vendors Attempt takedown of malware-serving sites
- Recommended steps - Take site offline momentarily while the code is being removed. Only restore service to the site when it has been cleaned or a back-up has been restored. Remove malware code or restore latest clean back-up
- Scan application and restore service if clean Ask external URL/AV vendors to rescan site Inform customers if necessary that site is back up
- Not sure what to do here – should I be recommending what to do on a web application? Explain how to reduce the risk of this type of attack impacting your server. Contact Hosting Company/Owner Possible temporary take-down Make IRISS members away of malware code Inform SANS, AV & URL filtering vendors Attempt takedown of malware-serving sites
- Defence in Depth Desktop – AV, Anti-Spyware, Anti-Malware, Registry Cleaners Personal Firewall Browser – security add-on
- Add-ons – NoScript, Google Safe Browsing, AVG Toolbar, WOT, AdBlock Plus, Flashblock, ShowIP, Clear Private Data This scareware only ran on Windows Free Tools - http://zeltser.com/fighting-malicious-software/lookup-malicious-websites.html, http://zeltser.com/fighting-malicious-software/malicious-ip-blocklists.html, http://zeltser.com/reverse-malware/automated-malware-analysis.html
- http://sunbeltblog.blogspot.com/2009/07/new-rogue-tactic-blue-screen-of.html Google search http://ddanchev.blogspot.com/ for ‘scareware’ or ‘virus’ http://isc.sans.org/ (Thanks to @bojanz) http://vrt-sourcefire.blogspot.com/2009/11/paranoia-and-rise-of-fake-antivirus.html http://eval.symantec.com/mktginfo/enterprise/white_papers/b-symc_report_on_rogue_security_software_WP_20016952.en-us.pdf http://blogs.sans.org/computer-forensics/2009/11/07/lists-for-investigating-malware-incidents/