Advice for a spread*** macro that calls home?
From: marc spamcatcher (junk_at_zounds.net)
Date: 02/11/05
- Previous message: Jerry Shenk: "RE: WHERE DO YOU KEEP YOUR EXPLOIT ARCHIVE AND DATABASE"
- Next in thread: Omar Herrera: "RE: Advice for a spread*** macro that calls home?"
- Reply: Omar Herrera: "RE: Advice for a spread*** macro that calls home?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Feb 2005 13:18:51 -0600 (CST) To: pen-test@securityfocus.com
A client wants to find out who is accessing some confidential data on his
machine. Looks like an inside job, the IT staff reading an .xls.
We have a few approaches to this investigation (for instance, putting a
string token in the file, and using Snort to watch for it).
Putting a 'call-home' macro in the file seems like a good bet, since
the file could be pulled in many ways, but must be opened for
reading. I'm thinking that when the file is opened, a network connection
to a server is opened, and then we know when and where it was opened from.
I haven't read any VB code since looking at the Laroux macro
virus. But this seems like an easy bit of code to plant in an excel
spread***. Especially if i found some trojan/worm code to steal from.
Are there tools/worms that do this already I should look at? Am I
over-looking some problems?
thanks,
marc bayerkohler
http://zounds.net/images/marcemailaddy.gif
- Previous message: Jerry Shenk: "RE: WHERE DO YOU KEEP YOUR EXPLOIT ARCHIVE AND DATABASE"
- Next in thread: Omar Herrera: "RE: Advice for a spread*** macro that calls home?"
- Reply: Omar Herrera: "RE: Advice for a spread*** macro that calls home?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
