SlideShare a Scribd company logo

Irish Scareware Exploit Detection

Brian Honan
Brian Honan

The document discusses scareware and an incident involving scareware originating from Ireland. Scareware tricks users into believing their computer is infected in order to get them to purchase fake anti-virus software. The incident involved websites hosting scareware that would redirect users through a chain of other compromised sites before serving scareware files. Security professionals used various forensic tools to analyze the scareware and handle the incident by containing the infection, eradicating it from affected systems, and helping users recover while also learning lessons to prevent future incidents.

TechnologyBusiness
1 of 25
Download to read offline
Scareware From Ireland Mark Hillick IrissCert I id t H dl I i C t Incident Handler http://www.iriss.ie mark.hillick@iriss.ie Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 1
What is Scareware? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 2
Irish Scareware Exploit Browse to Irish website & collect your fake anti- virus Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 3
Dialog box fun Dialog-box fun….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 4
Dialog box Dialog-box fun cont cont….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 5
System Scan Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 6
Trojan Log file Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 7
Money, Money please! Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 8
Are you sure? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 9
Are you mad???? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 10
BSOD Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 11
Effect on the end-user end user…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 12
Exploit  Exploited Sites hosted on one server  Microsoft FTPd & IIS 6.0 60 Two most popular web site attacks –  Gumblar PHP Sites  Asprox SQL Injection Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 13
Pass the Parcel http://compromisedsite.ie  http://jobstopfil.biz http://poppka.net  htt // j tli http://sujetline.ru  http://grownclubfest.ru ttp //g o c ub est u  PDF & SWF files served back Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 14
Obfuscation Engaged SANS ISC Malware Team  Heavily obfuscated javascript  Used techniques not seen before Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 15
Complex Design…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 16
Tools Used Tamper Data, Live HTTP Headers – Firefox Burp Suite Tcpdump, Tcpdump Wireshark & Netwitness Dig/nslookup Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 17
Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif p // /g y/p / g © Warner Bros. Entertainment Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 18
Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 19
Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 20
Incident Handling - Lessons Learned Patch web-server & application  Input validation p Close unnecessary open ports (e g FTP) (e.g. Password Policy Regular back-ups Web-app security testing Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 21
Securing the Desktop End-User Defence Rescue CDs  Google -> “rescue site:raymond cc” > rescue site:raymond.cc Free Tools  http://zeltser.com/fighting-malicious-software/ Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 22
Next Steps & Extra Info Sans GCIH Gold Paper  Scareware & its evolution  Incident Handling Process  Full Incident Report  http://www.iriss.ie – in shared documents  http://www.hillick.net/things/scareware.doc http://www hillick net/things/scareware doc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 23
References  Sunbelt Blog  Dancho Danchev Blog  SANS ISC (Thanks to @bojanz)  VRT-Sourcefire Blog  Symantec White Papers  Sans Forensics Blog Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 24
That s it..... That's it Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/questions.gif Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 25

Recommended

Scareware - Irisscon 2009
Scareware - Irisscon 2009Scareware - Irisscon 2009
Scareware - Irisscon 2009Mark Hillick
 
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeExtreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeEC-Council
 
Malta InSafe 2013 links
Malta InSafe 2013 linksMalta InSafe 2013 links
Malta InSafe 2013 linksLouise Jones
 
Info secvoip
Info secvoipInfo secvoip
Info secvoipQuobis
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNSC42 Ltd
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
 
Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014 Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014 Marc Lijour, OCT, BSc, MBA
 

Recommended

Scareware - Irisscon 2009
Scareware - Irisscon 2009Scareware - Irisscon 2009
Scareware - Irisscon 2009Mark Hillick
 
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeExtreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeEC-Council
 
Malta InSafe 2013 links
Malta InSafe 2013 linksMalta InSafe 2013 links
Malta InSafe 2013 linksLouise Jones
 
Info secvoip
Info secvoipInfo secvoip
Info secvoipQuobis
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNSC42 Ltd
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
 
Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014 Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014 Marc Lijour, OCT, BSc, MBA
 
Knowing Me Knowing You
Knowing Me Knowing YouKnowing Me Knowing You
Knowing Me Knowing YouBrian Honan
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log managementBrian Honan
 
Juliana New York
Juliana New YorkJuliana New York
Juliana New Yorkguest3c3576
 
KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7phuphax
 
Recipes From Italy
Recipes From ItalyRecipes From Italy
Recipes From ItalyTiina Sarisalmi
 
Idea
IdeaIdea
Ideaguest4570edb
 
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaCineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaMarco Contini
 
How to add a canvas to your image
How to add a canvas to your imageHow to add a canvas to your image
How to add a canvas to your imageSirron Carrector
 
Aubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeAubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeTiina Sarisalmi
 
Denver Green Car Presentation
Denver Green Car PresentationDenver Green Car Presentation
Denver Green Car Presentationbanovsky
 
Orivesi - Down the Mainstreet
Orivesi - Down the MainstreetOrivesi - Down the Mainstreet
Orivesi - Down the MainstreetTiina Sarisalmi
 
Ic Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhIc Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhBrian Honan
 
eTwinning Professional Development 2011
eTwinning Professional Development 2011eTwinning Professional Development 2011
eTwinning Professional Development 2011Tiina Sarisalmi
 
Learning from History
Learning from HistoryLearning from History
Learning from HistoryBrian Honan
 
Virtaa Voimaa Vauhtia
Virtaa Voimaa VauhtiaVirtaa Voimaa Vauhtia
Virtaa Voimaa VauhtiaTiina Sarisalmi
 
Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Tiina Sarisalmi
 
Video Game Console
Video Game ConsoleVideo Game Console
Video Game Consolejudah43
 
Will Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg InvitationWill Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg Invitationcbradley
 
NCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesNCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesVincent Guigui
 
Hazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingHazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingTristan Cooke
 
Lec21 security
Lec21 securityLec21 security
Lec21 securityimran6994
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDTiffany Jachja
 

More Related Content

Viewers also liked

Knowing Me Knowing You
Knowing Me Knowing YouKnowing Me Knowing You
Knowing Me Knowing YouBrian Honan
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log managementBrian Honan
 
Juliana New York
Juliana New YorkJuliana New York
Juliana New Yorkguest3c3576
 
KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7phuphax
 
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaCineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaMarco Contini
 
How to add a canvas to your image
How to add a canvas to your imageHow to add a canvas to your image
How to add a canvas to your imageSirron Carrector
 
Aubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeAubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeTiina Sarisalmi
 
Denver Green Car Presentation
Denver Green Car PresentationDenver Green Car Presentation
Denver Green Car Presentationbanovsky
 
Orivesi - Down the Mainstreet
Orivesi - Down the MainstreetOrivesi - Down the Mainstreet
Orivesi - Down the MainstreetTiina Sarisalmi
 
Ic Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhIc Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhBrian Honan
 
eTwinning Professional Development 2011
eTwinning Professional Development 2011eTwinning Professional Development 2011
eTwinning Professional Development 2011Tiina Sarisalmi
 
Learning from History
Learning from HistoryLearning from History
Learning from HistoryBrian Honan
 
Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Tiina Sarisalmi
 
Video Game Console
Video Game ConsoleVideo Game Console
Video Game Consolejudah43
 
Will Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg InvitationWill Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg Invitationcbradley
 
NCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesNCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesVincent Guigui
 
Hazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingHazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingTristan Cooke
 

Viewers also liked (20)

Knowing Me Knowing You
Knowing Me Knowing YouKnowing Me Knowing You
Knowing Me Knowing You
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
 
Juliana New York
Juliana New YorkJuliana New York
Juliana New York
 
KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7
 
Recipes From Italy
Recipes From ItalyRecipes From Italy
Recipes From Italy
 
Idea
IdeaIdea
Idea
 
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaCineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
 
How to add a canvas to your image
How to add a canvas to your imageHow to add a canvas to your image
How to add a canvas to your image
 
Aubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeAubergine Parmigiana - Recipe
Aubergine Parmigiana - Recipe
 
Denver Green Car Presentation
Denver Green Car PresentationDenver Green Car Presentation
Denver Green Car Presentation
 
Orivesi - Down the Mainstreet
Orivesi - Down the MainstreetOrivesi - Down the Mainstreet
Orivesi - Down the Mainstreet
 
Ic Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhIc Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp Bh
 
eTwinning Professional Development 2011
eTwinning Professional Development 2011eTwinning Professional Development 2011
eTwinning Professional Development 2011
 
Learning from History
Learning from HistoryLearning from History
Learning from History
 
Virtaa Voimaa Vauhtia
Virtaa Voimaa VauhtiaVirtaa Voimaa Vauhtia
Virtaa Voimaa Vauhtia
 
Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016
 
Video Game Console
Video Game ConsoleVideo Game Console
Video Game Console
 
Will Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg InvitationWill Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg Invitation
 
NCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesNCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiences
 
Hazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingHazcrowd for Crowdsourcing
Hazcrowd for Crowdsourcing
 

Similar to Irish Scareware Exploit Detection

Lec21 security
Lec21 securityLec21 security
Lec21 securityimran6994
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDTiffany Jachja
 
How to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap AnalysisHow to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap AnalysisCarlo Dapino
 
Internet security: a landscape of unintended consequences
Internet security: a landscape of unintended consequencesInternet security: a landscape of unintended consequences
Internet security: a landscape of unintended consequencesSarah Allen
 
Presentation cisco iron port product family
Presentation cisco iron port product familyPresentation cisco iron port product family
Presentation cisco iron port product familyxKinAnx
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 
During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...Cisco Canada
 
Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Marco Marcellini
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor FiorimTI Safe
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Canada
 
Brksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-securityBrksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-securityCisco
 
20181116.smart can cable_v2
20181116.smart can cable_v220181116.smart can cable_v2
20181116.smart can cable_v2Mocke Tech
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.pptarrenfill
 
my lecture 21.network security.2023.ppt
my lecture 21.network security.2023.pptmy lecture 21.network security.2023.ppt
my lecture 21.network security.2023.ppthalosidiq1
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppttahaniali27
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.pptramana899986
 

Similar to Irish Scareware Exploit Detection (20)

Lec21 security
Lec21 securityLec21 security
Lec21 security
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CD
 
How to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap AnalysisHow to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap Analysis
 
Internet security: a landscape of unintended consequences
Internet security: a landscape of unintended consequencesInternet security: a landscape of unintended consequences
Internet security: a landscape of unintended consequences
 
Presentation cisco iron port product family
Presentation cisco iron port product familyPresentation cisco iron port product family
Presentation cisco iron port product family
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
 
During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...
 
Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
Drones in real time communication - AVAYA
Drones in real time communication - AVAYADrones in real time communication - AVAYA
Drones in real time communication - AVAYA
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
 
Brksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-securityBrksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-security
 
20181116.smart can cable_v2
20181116.smart can cable_v220181116.smart can cable_v2
20181116.smart can cable_v2
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
 
network.ppt
network.pptnetwork.ppt
network.ppt
 
my lecture 21.network security.2023.ppt
my lecture 21.network security.2023.pptmy lecture 21.network security.2023.ppt
my lecture 21.network security.2023.ppt
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
 
Network Security
Network SecurityNetwork Security
Network Security
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
 

More from Brian Honan

Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynoteBrian Honan
 
GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?Brian Honan
 
Ransomware Prevention Guide
Ransomware Prevention GuideRansomware Prevention Guide
Ransomware Prevention GuideBrian Honan
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internetBrian Honan
 
Data security brian honan
Data security brian honanData security brian honan
Data security brian honanBrian Honan
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Brian Honan
 
Incident Response in the Cloud
Incident Response in the CloudIncident Response in the Cloud
Incident Response in the CloudBrian Honan
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecurityBrian Honan
 
Bridging the air gap
Bridging the air gapBridging the air gap
Bridging the air gapBrian Honan
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident responseBrian Honan
 
Incident response cloud
Incident response cloudIncident response cloud
Incident response cloudBrian Honan
 
Preparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident ResponsePreparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident ResponseBrian Honan
 
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & ScreenLayer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & ScreenBrian Honan
 
Creating a CERT at WARP Speed
Creating a CERT at WARP SpeedCreating a CERT at WARP Speed
Creating a CERT at WARP SpeedBrian Honan
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsBrian Honan
 
Hot Topics For 2010
Hot Topics For 2010Hot Topics For 2010
Hot Topics For 2010Brian Honan
 

More from Brian Honan (18)

Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynote
 
GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?
 
Ransomware Prevention Guide
Ransomware Prevention GuideRansomware Prevention Guide
Ransomware Prevention Guide
 
Brian honan
Brian honanBrian honan
Brian honan
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internet
 
Data security brian honan
Data security brian honanData security brian honan
Data security brian honan
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...
 
Incident Response in the Cloud
Incident Response in the CloudIncident Response in the Cloud
Incident Response in the Cloud
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Bridging the air gap
Bridging the air gapBridging the air gap
Bridging the air gap
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
 
Incident response cloud
Incident response cloudIncident response cloud
Incident response cloud
 
Preparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident ResponsePreparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident Response
 
Cloud security
Cloud securityCloud security
Cloud security
 
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & ScreenLayer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
 
Creating a CERT at WARP Speed
Creating a CERT at WARP SpeedCreating a CERT at WARP Speed
Creating a CERT at WARP Speed
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure Laws
 
Hot Topics For 2010
Hot Topics For 2010Hot Topics For 2010
Hot Topics For 2010
 

Recently uploaded

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Recently uploaded (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

Irish Scareware Exploit Detection

  • 1. Scareware From Ireland Mark Hillick IrissCert I id t H dl I i C t Incident Handler http://www.iriss.ie mark.hillick@iriss.ie Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 1
  • 2. What is Scareware? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 2
  • 3. Irish Scareware Exploit Browse to Irish website & collect your fake anti- virus Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 3
  • 4. Dialog box fun Dialog-box fun….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 4
  • 5. Dialog box Dialog-box fun cont cont….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 5
  • 6. System Scan Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 6
  • 7. Trojan Log file Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 7
  • 8. Money, Money please! Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 8
  • 9. Are you sure? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 9
  • 10. Are you mad???? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 10
  • 11. BSOD Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 11
  • 12. Effect on the end-user end user…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 12
  • 13. Exploit  Exploited Sites hosted on one server  Microsoft FTPd & IIS 6.0 60 Two most popular web site attacks –  Gumblar PHP Sites  Asprox SQL Injection Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 13
  • 14. Pass the Parcel http://compromisedsite.ie  http://jobstopfil.biz http://poppka.net  htt // j tli http://sujetline.ru  http://grownclubfest.ru ttp //g o c ub est u  PDF & SWF files served back Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 14
  • 15. Obfuscation Engaged SANS ISC Malware Team  Heavily obfuscated javascript  Used techniques not seen before Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 15
  • 16. Complex Design…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 16
  • 17. Tools Used Tamper Data, Live HTTP Headers – Firefox Burp Suite Tcpdump, Tcpdump Wireshark & Netwitness Dig/nslookup Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 17
  • 18. Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif p // /g y/p / g © Warner Bros. Entertainment Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 18
  • 19. Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 19
  • 20. Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 20
  • 21. Incident Handling - Lessons Learned Patch web-server & application  Input validation p Close unnecessary open ports (e g FTP) (e.g. Password Policy Regular back-ups Web-app security testing Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 21
  • 22. Securing the Desktop End-User Defence Rescue CDs  Google -> “rescue site:raymond cc” > rescue site:raymond.cc Free Tools  http://zeltser.com/fighting-malicious-software/ Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 22
  • 23. Next Steps & Extra Info Sans GCIH Gold Paper  Scareware & its evolution  Incident Handling Process  Full Incident Report  http://www.iriss.ie – in shared documents  http://www.hillick.net/things/scareware.doc http://www hillick net/things/scareware doc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 23
  • 24. References  Sunbelt Blog  Dancho Danchev Blog  SANS ISC (Thanks to @bojanz)  VRT-Sourcefire Blog  Symantec White Papers  Sans Forensics Blog Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 24
  • 25. That s it..... That's it Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/questions.gif Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 25