SlideShare a Scribd company logo

Irish Scareware Exploit Detection

Brian Honan
Brian Honan

The document discusses scareware and an incident involving scareware originating from Ireland. Scareware tricks users into believing their computer is infected in order to get them to purchase fake anti-virus software. The incident involved websites hosting scareware that would redirect users through a chain of other compromised sites before serving scareware files. Security professionals used various forensic tools to analyze the scareware and handle the incident by containing the infection, eradicating it from affected systems, and helping users recover while also learning lessons to prevent future incidents.

TechnologyBusiness
1 of 25
Download to read offline
Scareware From Ireland Mark Hillick IrissCert I id t H dl I i C t Incident Handler http://www.iriss.ie mark.hillick@iriss.ie Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 1
What is Scareware? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 2
Irish Scareware Exploit Browse to Irish website & collect your fake anti- virus Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 3
Dialog box fun Dialog-box fun….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 4
Dialog box Dialog-box fun cont cont….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 5
System Scan Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 6
Trojan Log file Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 7
Money, Money please! Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 8
Are you sure? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 9
Are you mad???? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 10
BSOD Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 11
Effect on the end-user end user…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 12
Exploit  Exploited Sites hosted on one server  Microsoft FTPd & IIS 6.0 60 Two most popular web site attacks –  Gumblar PHP Sites  Asprox SQL Injection Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 13
Pass the Parcel http://compromisedsite.ie  http://jobstopfil.biz http://poppka.net  htt // j tli http://sujetline.ru  http://grownclubfest.ru ttp //g o c ub est u  PDF & SWF files served back Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 14
Obfuscation Engaged SANS ISC Malware Team  Heavily obfuscated javascript  Used techniques not seen before Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 15
Complex Design…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 16
Tools Used Tamper Data, Live HTTP Headers – Firefox Burp Suite Tcpdump, Tcpdump Wireshark & Netwitness Dig/nslookup Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 17
Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif p // /g y/p / g © Warner Bros. Entertainment Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 18
Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 19
Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 20
Incident Handling - Lessons Learned Patch web-server & application  Input validation p Close unnecessary open ports (e g FTP) (e.g. Password Policy Regular back-ups Web-app security testing Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 21
Securing the Desktop End-User Defence Rescue CDs  Google -> “rescue site:raymond cc” > rescue site:raymond.cc Free Tools  http://zeltser.com/fighting-malicious-software/ Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 22
Next Steps & Extra Info Sans GCIH Gold Paper  Scareware & its evolution  Incident Handling Process  Full Incident Report  http://www.iriss.ie – in shared documents  http://www.hillick.net/things/scareware.doc http://www hillick net/things/scareware doc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 23
References  Sunbelt Blog  Dancho Danchev Blog  SANS ISC (Thanks to @bojanz)  VRT-Sourcefire Blog  Symantec White Papers  Sans Forensics Blog Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 24
That s it..... That's it Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/questions.gif Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 25

Recommended

Scareware - Irisscon 2009
Scareware - Irisscon 2009Scareware - Irisscon 2009
Scareware - Irisscon 2009Mark Hillick
 
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeExtreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeEC-Council
 
Malta InSafe 2013 links
Malta InSafe 2013 linksMalta InSafe 2013 links
Malta InSafe 2013 linksLouise Jones
 
Info secvoip
Info secvoipInfo secvoip
Info secvoipQuobis
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNSC42 Ltd
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
 
Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014 Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014 Marc Lijour, OCT, BSc, MBA
 

Recommended

Scareware - Irisscon 2009
Scareware - Irisscon 2009Scareware - Irisscon 2009
Scareware - Irisscon 2009Mark Hillick
 
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeExtreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeEC-Council
 
Malta InSafe 2013 links
Malta InSafe 2013 linksMalta InSafe 2013 links
Malta InSafe 2013 linksLouise Jones
 
Info secvoip
Info secvoipInfo secvoip
Info secvoipQuobis
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNSC42 Ltd
 
DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp 2013 - Are we there yet?
DefCamp 2013 - Are we there yet?DefCamp
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatVladyslav Radetsky
 
Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014 Cisco canada education @ CAIS IT leadership conference 2014
Cisco canada education @ CAIS IT leadership conference 2014 Marc Lijour, OCT, BSc, MBA
 
Knowing Me Knowing You
Knowing Me Knowing YouKnowing Me Knowing You
Knowing Me Knowing YouBrian Honan
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log managementBrian Honan
 
Juliana New York
Juliana New YorkJuliana New York
Juliana New Yorkguest3c3576
 
KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7phuphax
 
Recipes From Italy
Recipes From ItalyRecipes From Italy
Recipes From ItalyTiina Sarisalmi
 
Idea
IdeaIdea
Ideaguest4570edb
 
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaCineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaMarco Contini
 
How to add a canvas to your image
How to add a canvas to your imageHow to add a canvas to your image
How to add a canvas to your imageSirron Carrector
 
Aubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeAubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeTiina Sarisalmi
 
Denver Green Car Presentation
Denver Green Car PresentationDenver Green Car Presentation
Denver Green Car Presentationbanovsky
 
Orivesi - Down the Mainstreet
Orivesi - Down the MainstreetOrivesi - Down the Mainstreet
Orivesi - Down the MainstreetTiina Sarisalmi
 
Ic Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhIc Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhBrian Honan
 
eTwinning Professional Development 2011
eTwinning Professional Development 2011eTwinning Professional Development 2011
eTwinning Professional Development 2011Tiina Sarisalmi
 
Learning from History
Learning from HistoryLearning from History
Learning from HistoryBrian Honan
 
Virtaa Voimaa Vauhtia
Virtaa Voimaa VauhtiaVirtaa Voimaa Vauhtia
Virtaa Voimaa VauhtiaTiina Sarisalmi
 
Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Tiina Sarisalmi
 
Video Game Console
Video Game ConsoleVideo Game Console
Video Game Consolejudah43
 
Will Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg InvitationWill Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg Invitationcbradley
 
NCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesNCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesVincent Guigui
 
Hazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingHazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingTristan Cooke
 
Lec21 security
Lec21 securityLec21 security
Lec21 securityimran6994
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDTiffany Jachja
 

More Related Content

Viewers also liked

Knowing Me Knowing You
Knowing Me Knowing YouKnowing Me Knowing You
Knowing Me Knowing YouBrian Honan
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log managementBrian Honan
 
Juliana New York
Juliana New YorkJuliana New York
Juliana New Yorkguest3c3576
 
KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7phuphax
 
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaCineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaMarco Contini
 
How to add a canvas to your image
How to add a canvas to your imageHow to add a canvas to your image
How to add a canvas to your imageSirron Carrector
 
Aubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeAubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeTiina Sarisalmi
 
Denver Green Car Presentation
Denver Green Car PresentationDenver Green Car Presentation
Denver Green Car Presentationbanovsky
 
Orivesi - Down the Mainstreet
Orivesi - Down the MainstreetOrivesi - Down the Mainstreet
Orivesi - Down the MainstreetTiina Sarisalmi
 
Ic Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhIc Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhBrian Honan
 
eTwinning Professional Development 2011
eTwinning Professional Development 2011eTwinning Professional Development 2011
eTwinning Professional Development 2011Tiina Sarisalmi
 
Learning from History
Learning from HistoryLearning from History
Learning from HistoryBrian Honan
 
Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Tiina Sarisalmi
 
Video Game Console
Video Game ConsoleVideo Game Console
Video Game Consolejudah43
 
Will Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg InvitationWill Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg Invitationcbradley
 
NCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesNCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesVincent Guigui
 
Hazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingHazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingTristan Cooke
 

Viewers also liked (20)

Knowing Me Knowing You
Knowing Me Knowing YouKnowing Me Knowing You
Knowing Me Knowing You
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
 
Juliana New York
Juliana New YorkJuliana New York
Juliana New York
 
KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7KMUTNB - Internet Programming 5/7
KMUTNB - Internet Programming 5/7
 
Recipes From Italy
Recipes From ItalyRecipes From Italy
Recipes From Italy
 
Idea
IdeaIdea
Idea
 
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 MattinaCineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
Cineas Corso Taylor Made Per Zurich 27 Aprile 2010 Mattina
 
How to add a canvas to your image
How to add a canvas to your imageHow to add a canvas to your image
How to add a canvas to your image
 
Aubergine Parmigiana - Recipe
Aubergine Parmigiana - RecipeAubergine Parmigiana - Recipe
Aubergine Parmigiana - Recipe
 
Denver Green Car Presentation
Denver Green Car PresentationDenver Green Car Presentation
Denver Green Car Presentation
 
Orivesi - Down the Mainstreet
Orivesi - Down the MainstreetOrivesi - Down the Mainstreet
Orivesi - Down the Mainstreet
 
Ic Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp BhIc Sconf2010presentation Dp Bh
Ic Sconf2010presentation Dp Bh
 
eTwinning Professional Development 2011
eTwinning Professional Development 2011eTwinning Professional Development 2011
eTwinning Professional Development 2011
 
Learning from History
Learning from HistoryLearning from History
Learning from History
 
Virtaa Voimaa Vauhtia
Virtaa Voimaa VauhtiaVirtaa Voimaa Vauhtia
Virtaa Voimaa Vauhtia
 
Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016Kansainvälisyysstrategia 2.0 ja OPS-2016
Kansainvälisyysstrategia 2.0 ja OPS-2016
 
Video Game Console
Video Game ConsoleVideo Game Console
Video Game Console
 
Will Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg InvitationWill Rogers IAAP May Mtg Invitation
Will Rogers IAAP May Mtg Invitation
 
NCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiencesNCrafts.IO 2015 - Future of User eXperiences
NCrafts.IO 2015 - Future of User eXperiences
 
Hazcrowd for Crowdsourcing
Hazcrowd for CrowdsourcingHazcrowd for Crowdsourcing
Hazcrowd for Crowdsourcing
 

Similar to Irish Scareware Exploit Detection

Lec21 security
Lec21 securityLec21 security
Lec21 securityimran6994
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDTiffany Jachja
 
How to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap AnalysisHow to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap AnalysisCarlo Dapino
 
Internet security: a landscape of unintended consequences
Internet security: a landscape of unintended consequencesInternet security: a landscape of unintended consequences
Internet security: a landscape of unintended consequencesSarah Allen
 
Presentation cisco iron port product family
Presentation cisco iron port product familyPresentation cisco iron port product family
Presentation cisco iron port product familyxKinAnx
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 
During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...Cisco Canada
 
Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Marco Marcellini
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor FiorimTI Safe
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecaseKazuki Omo
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Canada
 
Brksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-securityBrksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-securityCisco
 
20181116.smart can cable_v2
20181116.smart can cable_v220181116.smart can cable_v2
20181116.smart can cable_v2Mocke Tech
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.pptarrenfill
 
my lecture 21.network security.2023.ppt
my lecture 21.network security.2023.pptmy lecture 21.network security.2023.ppt
my lecture 21.network security.2023.ppthalosidiq1
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppttahaniali27
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.pptramana899986
 

Similar to Irish Scareware Exploit Detection (20)

Lec21 security
Lec21 securityLec21 security
Lec21 security
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CD
 
How to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap AnalysisHow to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap Analysis
 
Internet security: a landscape of unintended consequences
Internet security: a landscape of unintended consequencesInternet security: a landscape of unintended consequences
Internet security: a landscape of unintended consequences
 
Presentation cisco iron port product family
Presentation cisco iron port product familyPresentation cisco iron port product family
Presentation cisco iron port product family
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
 
During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...During the Next Generation Network and Data Centre – Now and into the Future ...
During the Next Generation Network and Data Centre – Now and into the Future ...
 
Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)Basic Internet Security (for Association of Bridal Consultants - Italy)
Basic Internet Security (for Association of Bridal Consultants - Italy)
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
Docker app armor_usecase
Docker app armor_usecaseDocker app armor_usecase
Docker app armor_usecase
 
Drones in real time communication - AVAYA
Drones in real time communication - AVAYADrones in real time communication - AVAYA
Drones in real time communication - AVAYA
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
 
Brksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-securityBrksec 2048-demystifying aci-security
Brksec 2048-demystifying aci-security
 
20181116.smart can cable_v2
20181116.smart can cable_v220181116.smart can cable_v2
20181116.smart can cable_v2
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
 
network.ppt
network.pptnetwork.ppt
network.ppt
 
my lecture 21.network security.2023.ppt
my lecture 21.network security.2023.pptmy lecture 21.network security.2023.ppt
my lecture 21.network security.2023.ppt
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
 
Network Security
Network SecurityNetwork Security
Network Security
 
lec21-security.ppt
lec21-security.pptlec21-security.ppt
lec21-security.ppt
 

More from Brian Honan

Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynoteBrian Honan
 
GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?Brian Honan
 
Ransomware Prevention Guide
Ransomware Prevention GuideRansomware Prevention Guide
Ransomware Prevention GuideBrian Honan
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internetBrian Honan
 
Data security brian honan
Data security brian honanData security brian honan
Data security brian honanBrian Honan
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Brian Honan
 
Incident Response in the Cloud
Incident Response in the CloudIncident Response in the Cloud
Incident Response in the CloudBrian Honan
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecurityBrian Honan
 
Bridging the air gap
Bridging the air gapBridging the air gap
Bridging the air gapBrian Honan
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident responseBrian Honan
 
Incident response cloud
Incident response cloudIncident response cloud
Incident response cloudBrian Honan
 
Preparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident ResponsePreparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident ResponseBrian Honan
 
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & ScreenLayer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & ScreenBrian Honan
 
Creating a CERT at WARP Speed
Creating a CERT at WARP SpeedCreating a CERT at WARP Speed
Creating a CERT at WARP SpeedBrian Honan
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsBrian Honan
 
Hot Topics For 2010
Hot Topics For 2010Hot Topics For 2010
Hot Topics For 2010Brian Honan
 

More from Brian Honan (18)

Brian honan ipexpo keynote
Brian honan ipexpo keynoteBrian honan ipexpo keynote
Brian honan ipexpo keynote
 
GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?GDPR & Brexit - What Does the Future Hold?
GDPR & Brexit - What Does the Future Hold?
 
Ransomware Prevention Guide
Ransomware Prevention GuideRansomware Prevention Guide
Ransomware Prevention Guide
 
Brian honan
Brian honanBrian honan
Brian honan
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internet
 
Data security brian honan
Data security brian honanData security brian honan
Data security brian honan
 
Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...Presentation on EU Directives Impacting Cyber Security for Information Securi...
Presentation on EU Directives Impacting Cyber Security for Information Securi...
 
Incident Response in the Cloud
Incident Response in the CloudIncident Response in the Cloud
Incident Response in the Cloud
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Bridging the air gap
Bridging the air gapBridging the air gap
Bridging the air gap
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
 
Incident response cloud
Incident response cloudIncident response cloud
Incident response cloud
 
Preparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident ResponsePreparing for Failure - Best Practise for Incident Response
Preparing for Failure - Best Practise for Incident Response
 
Cloud security
Cloud securityCloud security
Cloud security
 
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & ScreenLayer 8 Security - Securing the Nut Between the Keyboard & Screen
Layer 8 Security - Securing the Nut Between the Keyboard & Screen
 
Creating a CERT at WARP Speed
Creating a CERT at WARP SpeedCreating a CERT at WARP Speed
Creating a CERT at WARP Speed
 
The Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure LawsThe Case for Mandatory Data Breach Disclosure Laws
The Case for Mandatory Data Breach Disclosure Laws
 
Hot Topics For 2010
Hot Topics For 2010Hot Topics For 2010
Hot Topics For 2010
 

Recently uploaded

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Recently uploaded (20)

Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

Irish Scareware Exploit Detection

  • 1. Scareware From Ireland Mark Hillick IrissCert I id t H dl I i C t Incident Handler http://www.iriss.ie mark.hillick@iriss.ie Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 1
  • 2. What is Scareware? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 2
  • 3. Irish Scareware Exploit Browse to Irish website & collect your fake anti- virus Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 3
  • 4. Dialog box fun Dialog-box fun….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 4
  • 5. Dialog box Dialog-box fun cont cont….. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 5
  • 6. System Scan Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 6
  • 7. Trojan Log file Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 7
  • 8. Money, Money please! Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 8
  • 9. Are you sure? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 9
  • 10. Are you mad???? Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 10
  • 11. BSOD Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 11
  • 12. Effect on the end-user end user…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 12
  • 13. Exploit  Exploited Sites hosted on one server  Microsoft FTPd & IIS 6.0 60 Two most popular web site attacks –  Gumblar PHP Sites  Asprox SQL Injection Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 13
  • 14. Pass the Parcel http://compromisedsite.ie  http://jobstopfil.biz http://poppka.net  htt // j tli http://sujetline.ru  http://grownclubfest.ru ttp //g o c ub est u  PDF & SWF files served back Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 14
  • 15. Obfuscation Engaged SANS ISC Malware Team  Heavily obfuscated javascript  Used techniques not seen before Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 15
  • 16. Complex Design…. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 16
  • 17. Tools Used Tamper Data, Live HTTP Headers – Firefox Burp Suite Tcpdump, Tcpdump Wireshark & Netwitness Dig/nslookup Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 17
  • 18. Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif p // /g y/p / g © Warner Bros. Entertainment Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 18
  • 19. Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 19
  • 20. Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc. Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 20
  • 21. Incident Handling - Lessons Learned Patch web-server & application  Input validation p Close unnecessary open ports (e g FTP) (e.g. Password Policy Regular back-ups Web-app security testing Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 21
  • 22. Securing the Desktop End-User Defence Rescue CDs  Google -> “rescue site:raymond cc” > rescue site:raymond.cc Free Tools  http://zeltser.com/fighting-malicious-software/ Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 22
  • 23. Next Steps & Extra Info Sans GCIH Gold Paper  Scareware & its evolution  Incident Handling Process  Full Incident Report  http://www.iriss.ie – in shared documents  http://www.hillick.net/things/scareware.doc http://www hillick net/things/scareware doc Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 23
  • 24. References  Sunbelt Blog  Dancho Danchev Blog  SANS ISC (Thanks to @bojanz)  VRT-Sourcefire Blog  Symantec White Papers  Sans Forensics Blog Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 24
  • 25. That s it..... That's it Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/questions.gif Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS 25