Watchguard – HackFest Avez-vous déjà acheté un fake-AV? Moi oui! Jean-Pier Talbot | Ingénieur aux ventes, Canada WatchGuard Technologies, Inc. | www.watchguard.com 514-394-0893 Direct 855-394-0893 Toll-Free Jean-Pier.Talbot@Watchguard.com ................................. Get red. Get Secured. What’s Scareware Also called Fake AV or Rogueware, Scareware is a class of malware that pretends to be some legitimate software – usually security related software like AV – that tries to scare a victim into paying for a “registered” version of the software in order to fix a fiction computing or security problem. Some Scareware is benign, but others can include backdoor or trojan components. Scareware Stats - Top 3 Fake AV amassed $130 million in revenue last year. - Between 2.1% to 2.4% success rate. - One fake AV company installed 8.4 millions "trial products" that yielded 189,342 sales to the purported "commercial" version within three months. - Fake AV firms actually do refund some of their victims. (between 3% and 8.5% of their sales) - Payment processors are well-aware of the fake AV business they are supporting. They charge 8 to 20 percent per transaction for their services to "high-risk merchants" that accrue a higher number of chargebacks - Fake AV operations rely heavily on affiliates with commissions of 30 to 80 percent if they get the sale. - An Indian call center to handle technical support for them. darkreading.com, Jul 06, 2011 How to get infected and computer/network behaviors How to get infected Many ways: Google images URL redirect Java – flash exploit facebook Social engineering Java – flash exploit While trying to get infected by a fake-AV, many times I saw flash or java starting. You can read a good article about a recent java exploit (Aimes-tu le Java?) on hackfest.ca written by Philippe Godbout Apps Can Be Dangerous Social Networks let almost anyone make apps Some apps are (or can become) malware Bad guys target popular apps Last year, Farm Town got hacked Google image + URL redirect + Social engineering Video: fakeAV.swf Demo infected machine Behavior of the infected machine Port 16471 UDP: New C&C Protocol for ZeroAccess/Sirefef June 2012 http://www.kindsight.net/sites/default/files/Kindsight_Malware_AnalysisNew_CC_protocol_ZeroAccess-final2.pdf More connections! Denied connection request from outside that day Time to build fake ID and buy this “product” Time to build fake ID! Need fake info for: -Phone number -Name -Credit card -Email -Address Fake name, address, phone number and email New name: Jeff Roberts Address: 5100 boul Wilfrid-Hamel (couche tard ) Ordered new DID: 418-263-1979 (w/ caller ID, voicemail and call recording) Used existing domain on my exchange: firstname.lastname@example.org Credit card Time to buy! Video: prepaid.swf Transaction refused Time to call Visa to find out why! Audio: activate credit card.wav Transaction refused, AGAIN ! Time to play around with support! Time to find support! -Support from the fake AV block for none registered. -Found terms and condition from Payment processors (Ebillingstars) Email to credit card processors First email Got a call back from gooseberrytech.com Seems like they refuse pre-paid visa card… need a real credit card with a fake name Went to my local bank and explain the situation. They refuse to give me a credit card under a build-up name. Went online and filled a form with fake info, got denied too A MIRACLE! Demo activation of “software” Trying to get support Forgot about WHOIS! Whois of my domain where with my real name and personal phone number. Started getting calls 3-4 times a day and nobody was speaking…. Thanks you When we say secuRED, we mean it “We were impressed that a network security provider would willingly put their box up against more than 50 of the best hackers in Canada.” •Hackfest.ca 2011-11-05 01:31:27 Deny 192.168.201.2 220.127.116.11 http/tcp IPS detected signature_name="VULN Cross-Site Scripting -7" signature_cat="Web Attack" signature_id="1120847" severity="5” 2011-11-05 01:33:27 Deny 192.168.202.6 18.104.22.168 smtp/tcp Firebox syn flooding 40 62 (Internal Policy) 2011-11-05 01:34:17 Deny 192.168.202.6 22.214.171.124 http/tcp ddos client quota 40 61 (Internal Policy) 2011-11-05 01:34:43 Deny 126.96.36.199 188.8.131.52 http/tcp ip spoofing sites 40 61 (Internal Policy) 2011-11-05 01:34:57 Deny 192.168.202.6 184.108.40.206 http/tcp Firebox syn flooding 40 62 (Internal Policy) The "security made easy" challenge Le but de ce concours est de faire la configuration d’un pare-feu UTM Watchguard le plus rapidement possible. Cette configuration représente des besoins réels régulièrement vue en entreprise. Cette compétition est réservée aux personnes ayant aucune expérience avec les produits Watchguard. Le gagnant se mérite un XTM25-Wireless avec 1 an de licence. Une valeur de 870$ 4 objectifs: -Serveur FTP en lecture seul, download uniquement de PDF -Bloquer des sites web adult et activer l’antivirus sur tout contenu web -Permettre au RH d’aller sur facebook mais bloquer les apps et autre fonctions -Activé IPS/IDS Thanks you Jean-Pier Talbot | Ingénieur aux ventes, Canada WatchGuard Technologies, Inc. | www.watchguard.com 514-394-0893 Direct 855-394-0893 Toll-Free Jean-Pier.Talbot@Watchguard.com ................................. Get red. Get Secured.