RE: Analyzing Suspicious Attachment


You'd be at risk now of the same things you're always at risk of -
viruses, rootkits and so on. You're just maybe more likely now to have
one of these issues. But, assuming you have good software to check for
these already, you should be able to just run them. They may have
options to run on demand, which you could do now, as opposed to waiting
for them to run on a scheduled basis, if that's how they're configured.
There's also the possibility that sensitive information has already been
transferred to the internet, which you should be able to check with your
logs, or that data has been modified or deleted. Hopefully you can check
that against backups.
Brett


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Albert R. Campa
Sent: January 17, 2008 12:54 PM
To: Al Cooper
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Analyzing Suspicious Attachment

As far as network, check your IDS and other logs for anything wierd or
a spike in events from these 3 systems.

Saludos

Albert

On Jan 17, 2008 11:18 AM, Al Cooper <cooper@xxxxxxxxxxxxxxx> wrote:
We had a user open a suspicious attachment. The attachment did not
open so
she sent it to two of her colleges. One of her colleges was also
unable to
open the file, but the third person did successfully open the file.
The
attachment did not match the original email and IT was eventually
called, a
few hours later. The three computer have been removed from the
network.

I have the attachment. It is a zip file. Inside the zip file is one
.scr
file. The antivirus (Symantec) did not catch anything when the file
was
opened. The email is an HTML email and there are pictures that can be
downloaded.

Outside of the obvious policy and training issues, what is the best
way to
determine what if any damage has been done to the network? What tools
do I
need to analysis the attachment to see what it is and how it works?

Thanks for your help,




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



--
Click the link below to report this message as spam to Caseware E-Mail
Security Server ESVA.
http://esva2.caseware.com/cgi-bin/learn-msg.cgi?id=4C2541EC0EB.93140

Relevant Pages

  • Re: Is VMS losing the Financial Sector, also?
    ... the web from the server. ... I suggested using only localhost or a private network but, ... In the Army we call that Risk Management and it can be applied to ... I was talking about business laptops that are locked down. ...
    (comp.os.vms)
  • Re: Risk Ranking...
    ... get his book The Tao of Network Security Monitoring. ... I had the same problem as you when I was trying to come up with some risk ... The vulnerability must be exploited locally. ... If a piece of malware is a blended threat (able to exploit multiple ...
    (Security-Basics)
  • RE: Using viruses in pen-test
    ... I wonder if there is some type of "fake" virus you could use in this case. ... David A. Swafford, Network Engineer ... I wish to know your views on "Using viruses in pen-test"I ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: XPE Security - virus and hacker attacs
    ... a firewall, close most network ports as much as possible, ... Any system could be broken (intentionally, or with a virus). ... > alone" and help from several of the more nasty network borne viruses... ...
    (microsoft.public.windowsxp.embedded)
  • Re: IPMSG.EXE
    ... > based network messeging program ipmsg.exe downloaded from some site.I ... If you have a large number of users who are circumventing a security policy, ... "keep doing this and you risk being fired". ...
    (microsoft.public.security)