Re: Odd typing in MSWord
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 03/05/05
- Previous message: Jay D. Dyson: "Re: Global DNS Cache poisoning?"
- In reply to: Federated Information Security: "RE: Odd typing in MSWord"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 05 Mar 2005 11:12:28 -0800 To: Federated Information Security <FederatedInformationSecurity@federatedinv.com>
http://windowsir.blogspot.com/2005/03/rootkit-saga-continues.html
Are root kits 'that' new or are the bad guys just getting a smidge smarter?
This is an example of a rootkit that wasn't coded properly:
You receive a Stop 0x00000050 error on a blue screen:
http://support.microsoft.com/default.aspx?scid=kb;en-us;894278
The folks in my group say that if you have an on the ball admin, he/she
will notice something is up via the normal review procedures of the log
files/ingress/egress/packet flows and what not.
Remember there's a bunch more tools in the arsenal that many of us have
yet to roll out .... IPsec..... Software restiction....
IPFront - About:
http://www.hernanracciatti.com.ar/ipfront/about.htm
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
Federated Information Security wrote:
>Thanks to all who replied, I'm pretty sure it was the microphone, I'm in
>the process of verifying. As a side note, I've seen the press on MS
>root kits, but are they all that common? How often do you run across
>them in a corporate environment, and how good are standard protections
>(antivirus, firewall, non-admin) at preventing them?
>
>Thanks again!
>sid
>
>
>-----Original Message-----
>From: Federated Information Security
>Sent: Friday, March 04, 2005 9:50 AM
>To: incidents@securityfocus.com
>Subject: Odd typing in MSWord
>
>
>I ran across something rather odd today I'm hoping someone might have
>thoughts on. One of my users had their XP SP1 laptop on the corporate
>network and was editing a Word document with office 2002. They pasted
>something in a table, and it looked like someone started typing in their
>document. It was slow, typical typing speed, and lasted for about 10
>minutes (I actually got a chance to see it). The text was nonsense
>words, like the kind you often see in spam nowadays.
>
>The machine's fully patched, up-to-date anti-virus and a personal
>firewall. Don't see any signs of spyware, nothing in the registry. I
>checked all the files modified today hoping to find a keylogger or
>something similar, and the only thing I found was a seemingly encrypted
>file on the root of c:\ called "comply.ini", which isn't normal for our
>config, but may not be related. IE was open at the time this happened.
>I issued a netstat -a command while the typing was going on, but all the
>connections were legit--domain controller, file & print servers. I
>checked the running processes and everything seemed pretty typical,
>although I hit
>
>Anyone run across anything similar lately, or have any suggestions?
>
>Thanks!
>sid
>
>
>
-- Chapter 4 of The Complete Patch Management Book: https://www.ecora.com/ecora/jump/pm149.asp So why is it the only book on NT Event Logging is out of print? http://tinyurl.com/3kwc2 And if you don't know about www.eventid.net You should!
- Previous message: Jay D. Dyson: "Re: Global DNS Cache poisoning?"
- In reply to: Federated Information Security: "RE: Odd typing in MSWord"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
