Watchguard -

Watchguard – HackFest
Avez-vous déjà acheté un
fake-AV? Moi oui!
Jean-Pier Talbot | Ingénieur aux ventes, Canada
WatchGuard Technologies, Inc. |
514-394-0893 Direct
855-394-0893 Toll-Free
[email protected]
Get red. Get Secured.
What’s Scareware
Also called Fake AV or Rogueware, Scareware is a class of malware that
pretends to be some legitimate software – usually security related
software like AV – that tries to scare a victim into paying for a
“registered” version of the software in order to fix a fiction computing or
security problem. Some Scareware is benign, but others can include
backdoor or trojan components.
Scareware Stats
- Top 3 Fake AV amassed $130 million in revenue last year.
- Between 2.1% to 2.4% success rate.
- One fake AV company installed 8.4 millions "trial products" that yielded 189,342 sales
to the purported "commercial" version within three months.
- Fake AV firms actually do refund some of their victims. (between 3% and 8.5% of
their sales)
- Payment processors are well-aware of the fake AV business they are supporting.
They charge 8 to 20 percent per transaction for their services to "high-risk merchants"
that accrue a higher number of chargebacks
- Fake AV operations rely heavily on affiliates with commissions of 30 to 80 percent if
they get the sale.
- An Indian call center to handle technical support for them., Jul 06, 2011
How to get infected
computer/network behaviors
How to get infected
Many ways:
Google images
URL redirect
Java – flash exploit
Social engineering 
Java – flash exploit
While trying to get infected by a fake-AV, many times I saw flash or java
You can read a good article about a recent java exploit (Aimes-tu le Java?) on written by Philippe Godbout
Apps Can Be Dangerous
Social Networks let almost anyone make apps
Some apps are (or can become) malware
Bad guys target popular apps
Last year, Farm Town got hacked
Google image + URL redirect + Social engineering
Demo infected machine
Behavior of the infected machine
Port 16471 UDP:
New C&C Protocol for ZeroAccess/Sirefef
June 2012
More connections!
Denied connection request from outside that day
Time to build fake ID and buy this “product”
Time to build fake ID!
Need fake info for:
-Phone number
-Credit card
Fake name, address, phone number and email
New name: Jeff Roberts
Address: 5100 boul Wilfrid-Hamel (couche tard )
Ordered new DID: 418-263-1979
(w/ caller ID, voicemail and
call recording)
Used existing domain
on my exchange:
[email protected]
Credit card
Time to buy!
Video: prepaid.swf
Transaction refused 
Time to call Visa to find out why!
Audio: activate credit card.wav
Transaction refused, AGAIN !
Time to play around with support! 
Time to find support!
-Support from the fake AV block for none registered.
-Found terms and condition from Payment processors (Ebillingstars)
Email to credit card processors
First email 
Got a call back from
Seems like they refuse pre-paid visa card… need a real credit card
with a fake name
Went to my local bank and explain the situation. They refuse to give me a
credit card under a build-up name.
Went online and filled a
form with fake info,
got denied too 
Demo activation of “software”
Trying to get support
Forgot about WHOIS!
Whois of my domain where with my real name and personal phone number.
Started getting calls 3-4 times a day and nobody was speaking….
Thanks you
When we say secuRED, we mean it
“We were impressed that a network security
provider would willingly put their box up against
more than 50 of the best hackers in Canada.”
2011-11-05 01:31:27 Deny http/tcp IPS detected signature_name="VULN
Cross-Site Scripting -7" signature_cat="Web Attack" signature_id="1120847" severity="5”
2011-11-05 01:33:27 Deny smtp/tcp Firebox syn flooding 40 62 (Internal
2011-11-05 01:34:17 Deny http/tcp ddos client quota 40 61 (Internal
2011-11-05 01:34:43 Deny http/tcp ip spoofing sites 40 61 (Internal
2011-11-05 01:34:57 Deny http/tcp Firebox syn flooding 40 62 (Internal
The "security made easy" challenge
Le but de ce concours est de faire la configuration d’un pare-feu UTM
Watchguard le plus rapidement possible. Cette configuration représente des
besoins réels régulièrement vue en entreprise.
Cette compétition est réservée aux personnes ayant aucune expérience avec
les produits Watchguard. Le gagnant se mérite un XTM25-Wireless avec 1 an
de licence. Une valeur de 870$
4 objectifs:
-Serveur FTP en lecture seul, download uniquement de PDF
-Bloquer des sites web adult et activer l’antivirus sur tout contenu web
-Permettre au RH d’aller sur facebook mais bloquer les apps et autre fonctions
-Activé IPS/IDS
Thanks you
Jean-Pier Talbot | Ingénieur aux ventes, Canada
WatchGuard Technologies, Inc. |
514-394-0893 Direct
855-394-0893 Toll-Free
[email protected]
Get red. Get Secured.