RE: Odd typing in MSWord
Felix.Simmons_at_edwardjones.com
Date: 03/04/05
- Previous message: Russell Guthrie: "Global DNS Cache poisoning?"
- Maybe in reply to: Federated Information Security: "Odd typing in MSWord"
- Next in thread: Tom Baker: "RE: Odd typing in MSWord"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 04 Mar 2005 13:22:37 -0600 To: FederatedInformationSecurity@federatedinv.com, incidents@securityfocus.com
There could be a few possible reasons for your ghost typing. One, did
you check the document for macros? Two have you looked into any rootkit
checking tools? Three, Did you hang a sniffer off a machine that could
sniff the traffic of the workstation in question without actually having
to put the sniffer on the workstation.
When you do any analysis from the workstation you have to take anything
you see with a grain of salt, as in the example of rootkits an attacker
could hide processes, connections, files, basically anything they don't
want you to see. I would say hang a sniffer off the machine and watch
it, or when in doubt rebuild.
-Felix
-----Original Message-----
From: FederatedInformationSecurity
[mailto:FederatedInformationSecurity@federatedinv.com]
Sent: Friday, March 04, 2005 8:50 AM
To: incidents
Subject: Odd typing in MSWord
I ran across something rather odd today I'm hoping someone might have
thoughts on. One of my users had their XP SP1 laptop on the corporate
network and was editing a Word document with office 2002. They pasted
something in a table, and it looked like someone started typing in their
document. It was slow, typical typing speed, and lasted for about 10
minutes (I actually got a chance to see it). The text was nonsense
words, like the kind you often see in spam nowadays.
The machine's fully patched, up-to-date anti-virus and a personal
firewall. Don't see any signs of spyware, nothing in the registry. I
checked all the files modified today hoping to find a keylogger or
something similar, and the only thing I found was a seemingly encrypted
file on the root of c:\ called "comply.ini", which isn't normal for our
config, but may not be related. IE was open at the time this happened.
I issued a netstat -a command while the typing was going on, but all the
connections were legit--domain controller, file & print servers. I
checked the running processes and everything seemed pretty typical,
although I hit
Anyone run across anything similar lately, or have any suggestions?
Thanks!
sid
- Previous message: Russell Guthrie: "Global DNS Cache poisoning?"
- Maybe in reply to: Federated Information Security: "Odd typing in MSWord"
- Next in thread: Tom Baker: "RE: Odd typing in MSWord"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
