Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS1 Scareware From Ireland Mark Hillick IrissCert Incident Handler

Published byBritney McDaniel Modified over 8 years ago

Similar presentations

Presentation on theme: "Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS1 Scareware From Ireland Mark Hillick IrissCert Incident Handler"— Presentation transcript:

1 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS1 Scareware From Ireland Mark Hillick IrissCert Incident Handler http://www.iriss.ie http://www.iriss.ie mark.hillick@iriss.ie

2 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS2 What is Scareware?

3 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS3 Irish Scareware Exploit  Browse to Irish website & collect your fake anti- virus

4 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS4 Dialog-box fun…..

5 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS5 Dialog-box fun cont…..

6 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS6 System Scan

7 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS7 Trojan Log file

8 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS8 Money, please!

9 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS9 Are you sure?

10 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS10 Are you mad????

11 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS11 BSOD

12 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS12 Effect on the end-user….

13 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS13 Exploit  Exploited Sites hosted on one server  Microsoft FTPd & IIS 6.0  Two most popular web site attacks –  Gumblar  PHP Sites  Asprox  SQL Injection

14 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS14 Pass the Parcel  http://compromisedsite.ie  http://jobstopfil.biz  http://poppka.net  http://sujetline.ru  http://grownclubfest.ru  PDF & SWF files served back

15 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS15 Obfuscation  Engaged SANS ISC Malware Team  Heavily obfuscated javascript  Used techniques not seen before

16 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS16 Complex Design….

17 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS17  Tamper Data, Live HTTP Headers – Firefox  Burp Suite  Tcpdump, Wireshark & Netwitness  Dig/nslookup Tools Used

18 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS18 Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gifhttp://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif © Warner Bros. Entertainment Inc.

19 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS19 Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc

20 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS20 Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc.

21 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS21 Incident Handling - Lessons Learned  Patch web-server & application  Input validation  Close unnecessary open ports (e.g. FTP)  Password Policy  Regular back-ups  Web-app security testing

22 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS22 Securing the Desktop  End-User Defence  Rescue CDs  Google -> “rescue site:raymond.cc”  Free Tools  http://zeltser.com/fighting-malicious-software/

23 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS23 Next Steps & Extra Info  Sans GCIH Gold Paper  Scareware & its evolution  Incident Handling Process  Full Incident Report  http://www.iriss.ie – in shared documents  http://www.hillick.net/things/scareware.doc

24 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS24 References  Sunbelt Blog  Dancho Danchev Blog  SANS ISC (Thanks to @bojanz)  VRT-Sourcefire Blog  Symantec White Papers  Sans Forensics Blog

25 Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS25 That's it..... Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/questions.gif

Download ppt "Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS1 Scareware From Ireland Mark Hillick IrissCert Incident Handler"

Similar presentations

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+

WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+
Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts.

Revealing the Secrets: Source Code Disclosure, Techniques, and Impacts.
1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.

1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
Easy Website Creation Using WordPress Welcome and Thank You to our Sponsors.

Easy Website Creation Using WordPress Welcome and Thank You to our Sponsors.
AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.

AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.

What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
SYST 28043 Web Technologies SYST 28043 Web Technologies Installing a Web Server (XAMPP)

SYST Web Technologies SYST Web Technologies Installing a Web Server (XAMPP)

Similar presentations

Ads by Google