Scareware - Irisscon 2009

Transcript

1. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

   IRISS 1 Scareware From Ireland Mark Hillick IrissCert Incident Handler http://www.iriss.ie [email protected]

2. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

   IRISS 2 What is Scareware?

3. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

   IRISS 3 Irish Scareware Exploit q Browse to Irish website & collect your fake anti- virus

4. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

   IRISS 4 Dialog-box fun…..

5. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

   IRISS 5 Dialog-box fun cont…..

6. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

   IRISS 6 System Scan

7. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

   IRISS 7 Trojan Log file

8. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

   IRISS 8 Money, please!

9. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

   IRISS 9 Are you sure?

10. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 10 Are you mad????

11. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 11 BSOD

12. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 12 Effect on the end-user….

13. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 13 Exploit q  Exploited Sites hosted on one server §  Microsoft FTPd & IIS 6.0 q Two most popular web site attacks – §  Gumblar q PHP Sites §  Asprox q SQL Injection

14. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 14 Pass the Parcel q http://compromisedsite.ie §  http://jobstopfil.biz q http://poppka.net q http://sujetline.ru q http://grownclubfest.ru q  PDF & SWF files served back

15. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 15 Obfuscation q Engaged SANS ISC Malware Team §  Heavily obfuscated javascript §  Used techniques not seen before

16. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 16 Complex Design….

17. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 17 q Tamper Data, Live HTTP Headers – Firefox q Burp Suite q Tcpdump, Wireshark & Netwitness q Dig/nslookup Tools Used

18. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 18 Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif © Warner Bros. Entertainment Inc.

19. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 19 Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc

20. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 20 Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc.

21. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 21 Incident Handling - Lessons Learned q Patch web-server & application §  Input validation q Close unnecessary open ports (e.g. FTP) q Password Policy q Regular back-ups q Web-app security testing

22. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 22 Securing the Desktop q End-User Defence q Rescue CDs §  Google -> “rescue site:raymond.cc” q Free Tools §  http://zeltser.com/fighting-malicious-software/

23. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 23 Next Steps & Extra Info q Sans GCIH Gold Paper -  Scareware & its evolution -  Incident Handling Process q  Full Incident Report -  http://www.iriss.ie – in shared documents -  http://www.hillick.net/things/scareware.doc

24. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 24 References q Sunbelt Blog q Dancho Danchev Blog q SANS ISC (Thanks to @bojanz) q VRT-Sourcefire Blog q Symantec White Papers q Sans Forensics Blog

25. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009

    IRISS 25 That's it..... Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/ questions.gif