Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 1 Scareware From Ireland Mark Hillick IrissCert Incident Handler http://www.iriss.ie [email protected]

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 2 What is Scareware?

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 3 Irish Scareware Exploit q Browse to Irish website & collect your fake anti- virus

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 4 Dialog-box fun…..

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 5 Dialog-box fun cont…..

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 6 System Scan

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 7 Trojan Log file

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 8 Money, please!

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 9 Are you sure?

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 10 Are you mad????

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 11 BSOD

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 12 Effect on the end-user….

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 13 Exploit q  Exploited Sites hosted on one server §  Microsoft FTPd & IIS 6.0 q Two most popular web site attacks – §  Gumblar q PHP Sites §  Asprox q SQL Injection

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 14 Pass the Parcel q http://compromisedsite.ie §  http://jobstopfil.biz q http://poppka.net q http://sujetline.ru q http://grownclubfest.ru q  PDF & SWF files served back

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 15 Obfuscation q Engaged SANS ISC Malware Team §  Heavily obfuscated javascript §  Used techniques not seen before

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 16 Complex Design….

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 17 q Tamper Data, Live HTTP Headers – Firefox q Burp Suite q Tcpdump, Wireshark & Netwitness q Dig/nslookup Tools Used

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 18 Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif © Warner Bros. Entertainment Inc.

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 19 Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 20 Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc.

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 21 Incident Handling - Lessons Learned q Patch web-server & application §  Input validation q Close unnecessary open ports (e.g. FTP) q Password Policy q Regular back-ups q Web-app security testing

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 22 Securing the Desktop q End-User Defence q Rescue CDs §  Google -> “rescue site:raymond.cc” q Free Tools §  http://zeltser.com/fighting-malicious-software/

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 23 Next Steps & Extra Info q Sans GCIH Gold Paper -  Scareware & its evolution -  Incident Handling Process q  Full Incident Report -  http://www.iriss.ie – in shared documents -  http://www.hillick.net/things/scareware.doc

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 24 References q Sunbelt Blog q Dancho Danchev Blog q SANS ISC (Thanks to @bojanz) q VRT-Sourcefire Blog q Symantec White Papers q Sans Forensics Blog

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 25 That's it..... Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/ questions.gif