Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Scareware - Irisscon 2009

Mark Hillick
November 23, 2012
0
37

Scareware - Irisscon 2009

At the initial IrissCon, in 2009, I discussed the investigation, analysis and resolution of a Web Application attack that was part of a larger criminal scareware campaign.

Mark Hillick

November 23, 2012
Tweet

More Decks by Mark Hillick

See All by Mark Hillick
Digital Safety for Parents
markofu
0
94
Do you even tech anymore?
markofu
0
77
Leveling Up Security :: 2015 v 2018
markofu
0
300
Security Change Through Feedback
markofu
0
94
Feedback Security
markofu
2
250
Leveling Up Security @ Riot Games :: BruCon 2015
markofu
0
530
Team Building @ Riot
markofu
0
82
Social Security @ Riot
markofu
0
310
Securing your MongoDB Implementation
markofu
0
180

Featured

See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
Building a Scalable Design System with Sketch
lauravandoore
456
32k
Code Reviewing Like a Champion
maltzj
514
39k
10 Git Anti Patterns You Should be Aware of
lemiorhan
648
58k
Producing Creativity
orderedlist
PRO
337
39k
Clear Off the Table
cherdarchuk
84
310k
YesSQL, Process and Tooling at Scale
rocio
164
13k
How STYLIGHT went responsive
nonsquared
92
4.8k
Git: the NoSQL Database
bkeepers
PRO
422
63k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
Writing Fast Ruby
sferik
621
60k
Mobile First: as difficult as doing things right
swwweet
216
8.6k

Transcript

  1. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 1 Scareware From Ireland Mark Hillick IrissCert Incident Handler http://www.iriss.ie [email protected]

  2. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 2 What is Scareware?

  3. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 3 Irish Scareware Exploit q Browse to Irish website & collect your fake anti- virus

  4. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 4 Dialog-box fun…..

  5. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 5 Dialog-box fun cont…..

  6. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 6 System Scan

  7. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 7 Trojan Log file

  8. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 8 Money, please!

  9. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 9 Are you sure?

  10. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 10 Are you mad????

  11. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 11 BSOD

  12. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 12 Effect on the end-user….

  13. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 13 Exploit q  Exploited Sites hosted on one server §  Microsoft FTPd & IIS 6.0 q Two most popular web site attacks – §  Gumblar q PHP Sites §  Asprox q SQL Injection

  14. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 14 Pass the Parcel q http://compromisedsite.ie §  http://jobstopfil.biz q http://poppka.net q http://sujetline.ru q http://grownclubfest.ru q  PDF & SWF files served back

  15. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 15 Obfuscation q Engaged SANS ISC Malware Team §  Heavily obfuscated javascript §  Used techniques not seen before

  16. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 16 Complex Design….

  17. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 17 q Tamper Data, Live HTTP Headers – Firefox q Burp Suite q Tcpdump, Wireshark & Netwitness q Dig/nslookup Tools Used

  18. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 18 Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif © Warner Bros. Entertainment Inc.

  19. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 19 Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc

  20. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 20 Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc.

  21. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 21 Incident Handling - Lessons Learned q Patch web-server & application §  Input validation q Close unnecessary open ports (e.g. FTP) q Password Policy q Regular back-ups q Web-app security testing

  22. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 22 Securing the Desktop q End-User Defence q Rescue CDs §  Google -> “rescue site:raymond.cc” q Free Tools §  http://zeltser.com/fighting-malicious-software/

  23. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 23 Next Steps & Extra Info q Sans GCIH Gold Paper -  Scareware & its evolution -  Incident Handling Process q  Full Incident Report -  http://www.iriss.ie – in shared documents -  http://www.hillick.net/things/scareware.doc

  24. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 24 References q Sunbelt Blog q Dancho Danchev Blog q SANS ISC (Thanks to @bojanz) q VRT-Sourcefire Blog q Symantec White Papers q Sans Forensics Blog

  25. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 25 That's it..... Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/ questions.gif