Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Scareware - Irisscon 2009

Mark Hillick
November 23, 2012
0
42

Scareware - Irisscon 2009

At the initial IrissCon, in 2009, I discussed the investigation, analysis and resolution of a Web Application attack that was part of a larger criminal scareware campaign.

Mark Hillick

November 23, 2012
Tweet

More Decks by Mark Hillick

See All by Mark Hillick
Digital Safety for Parents
markofu
0
130
Do you even tech anymore?
markofu
0
83
Leveling Up Security :: 2015 v 2018
markofu
0
320
Security Change Through Feedback
markofu
0
100
Feedback Security
markofu
2
260
Leveling Up Security @ Riot Games :: BruCon 2015
markofu
0
530
Team Building @ Riot
markofu
0
93
Social Security @ Riot
markofu
0
330
Securing your MongoDB Implementation
markofu
0
190

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Building an army of robots
kneath
302
43k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Code Review Best Practice
trishagee
64
17k
The Cult of Friendly URLs
andyhume
78
6k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Embracing the Ebb and Flow
colly
84
4.5k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
890
Building Adaptive Systems
keathley
38
2.3k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k

Transcript

  1. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 1 Scareware From Ireland Mark Hillick IrissCert Incident Handler http://www.iriss.ie [email protected]

  2. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 2 What is Scareware?

  3. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 3 Irish Scareware Exploit q Browse to Irish website & collect your fake anti- virus

  4. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 4 Dialog-box fun…..

  5. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 5 Dialog-box fun cont…..

  6. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 6 System Scan

  7. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 7 Trojan Log file

  8. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 8 Money, please!

  9. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 9 Are you sure?

  10. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 10 Are you mad????

  11. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 11 BSOD

  12. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 12 Effect on the end-user….

  13. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 13 Exploit q  Exploited Sites hosted on one server §  Microsoft FTPd & IIS 6.0 q Two most popular web site attacks – §  Gumblar q PHP Sites §  Asprox q SQL Injection

  14. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 14 Pass the Parcel q http://compromisedsite.ie §  http://jobstopfil.biz q http://poppka.net q http://sujetline.ru q http://grownclubfest.ru q  PDF & SWF files served back

  15. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 15 Obfuscation q Engaged SANS ISC Malware Team §  Heavily obfuscated javascript §  Used techniques not seen before

  16. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 16 Complex Design….

  17. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 17 q Tamper Data, Live HTTP Headers – Firefox q Burp Suite q Tcpdump, Wireshark & Netwitness q Dig/nslookup Tools Used

  18. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 18 Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif © Warner Bros. Entertainment Inc.

  19. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 19 Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc

  20. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 20 Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc.

  21. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 21 Incident Handling - Lessons Learned q Patch web-server & application §  Input validation q Close unnecessary open ports (e.g. FTP) q Password Policy q Regular back-ups q Web-app security testing

  22. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 22 Securing the Desktop q End-User Defence q Rescue CDs §  Google -> “rescue site:raymond.cc” q Free Tools §  http://zeltser.com/fighting-malicious-software/

  23. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 23 Next Steps & Extra Info q Sans GCIH Gold Paper -  Scareware & its evolution -  Incident Handling Process q  Full Incident Report -  http://www.iriss.ie – in shared documents -  http://www.hillick.net/things/scareware.doc

  24. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 24 References q Sunbelt Blog q Dancho Danchev Blog q SANS ISC (Thanks to @bojanz) q VRT-Sourcefire Blog q Symantec White Papers q Sans Forensics Blog

  25. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 25 That's it..... Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/ questions.gif