Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2009-06-07 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Scareware Tactics

Published: 2009-06-07
Last Updated: 2009-06-07 20:13:52 UTC
by Mari Nichols (Version: 2)
1 comment(s)

It has been an interesting week.  Lots of activity, but a slightly weird.  It's a beautiful day at the beach, so I'm going to pose you all a question that has peaked my interest this week.

Have any of you ever dealt with scareware or ransomware in your environment?  Do you have a written strategy for handling this type of incident in your incident response plan?  Have you gotten your legal team involved? Can you give us the big picture and help the rest of us get ready for this type of incident?  No enterprise identity necessary.

I'd like to hear about your strategies.  Please send me your comments.  I'll post them as we get some comments.

Update 1:  Tom sent in these helpful tips.

When I was a sysadmin / all-purpose I.T. guy at a non-profit agency, we had a mix of Windows 2000 and Windows XP desktops.  I gave all the users Restricted-User accounts on our domain, and this resolved most types of unwanted software.  However, two employees were fooled by Web advertisements claiming their computer was infected, and instructing them to download and run the "scanner" to fix it.

At the time, we were using an enterprise anti-virus product that allowed abitrary behavior-blocking rules to be created and enforced.  I created a set of behavior-blocking rules that arbitrarily prevented creation or execution of any .EXE files (as well as other dangerous types) within the user's C:Documents and Settingstheir-user-profile directory, which is where such a scareware file would have to be executed from when the user is a Restricted User.

Later I discovered Software Restriction Policy, available on Windows XP and later, and I'm enough of an SRP proponent that I have a website explaining how to use one of its effective configurations (mechbgon.com/srp if you're interested).

These tactics are effective against many types of unpatched exploits, not just scareware Trojans.  Naturally, I also explained the situation to the employees so they understand that the Internet should not be taken at face value.  If I were still in that position today, I would run live demonstrations at the monthly all-staff meeting, showing the employees some actual scareware and explaining that it's all a scam.

 

Keywords:
1 comment(s)
Diary Archives