Security Basics mailing list archives
RE: Analyzing Suspicious Attachment
From: "Brett Kennedy" <Brett.Kennedy () caseware com>
Date: Thu, 17 Jan 2008 13:16:52 -0500
You'd be at risk now of the same things you're always at risk of - viruses, rootkits and so on. You're just maybe more likely now to have one of these issues. But, assuming you have good software to check for these already, you should be able to just run them. They may have options to run on demand, which you could do now, as opposed to waiting for them to run on a scheduled basis, if that's how they're configured. There's also the possibility that sensitive information has already been transferred to the internet, which you should be able to check with your logs, or that data has been modified or deleted. Hopefully you can check that against backups. Brett -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Albert R. Campa Sent: January 17, 2008 12:54 PM To: Al Cooper Cc: security-basics () securityfocus com Subject: Re: Analyzing Suspicious Attachment As far as network, check your IDS and other logs for anything wierd or a spike in events from these 3 systems. Saludos Albert On Jan 17, 2008 11:18 AM, Al Cooper <cooper () hmcnetworks com> wrote:
We had a user open a suspicious attachment. The attachment did not
open so
she sent it to two of her colleges. One of her colleges was also
unable to
open the file, but the third person did successfully open the file.
The
attachment did not match the original email and IT was eventually
called, a
few hours later. The three computer have been removed from the
network.
I have the attachment. It is a zip file. Inside the zip file is one
.scr
file. The antivirus (Symantec) did not catch anything when the file
was
opened. The email is an HTML email and there are pictures that can be downloaded. Outside of the obvious policy and training issues, what is the best
way to
determine what if any damage has been done to the network? What tools
do I
need to analysis the attachment to see what it is and how it works? Thanks for your help, -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- Click the link below to report this message as spam to Caseware E-Mail Security Server ESVA. http://esva2.caseware.com/cgi-bin/learn-msg.cgi?id=4C2541EC0EB.93140
Current thread:
- Analyzing Suspicious Attachment Al Cooper (Jan 17)
- Re: Analyzing Suspicious Attachment Albert R. Campa (Jan 17)
- RE: Analyzing Suspicious Attachment Brett Kennedy (Jan 17)
- Remote desktop access policy WALI (Jan 18)
- RE: Remote desktop access policy Petter Bruland (Jan 18)
- AW: Remote desktop access policy Johannes Lemmerer (Jan 18)
- Re: Remote desktop access policy Josh Haft (Jan 18)
- Re: Remote desktop access policy The Security Community (Jan 18)
- Re: Remote desktop access policy Kurt Buff (Jan 19)
- Re: Remote desktop access policy WALI (Jan 21)
- Re: Remote desktop access policy Kurt Buff (Jan 21)
- RE: Analyzing Suspicious Attachment Brett Kennedy (Jan 17)
- Re: Analyzing Suspicious Attachment Albert R. Campa (Jan 17)
- Re: Remote desktop access policy Gleb Paharenko (Jan 18)
- Re: Remote desktop access policy Kurt Buff (Jan 19)