Re: Djohn & John the Ripper

["James C. Slora Jr." <Jim.Slora () phra com>]

"netsecurity" wrote Sent: Wednesday, April 21, 2004 12:18 PM

> What we're most concerned about is how the client got onto the laptop
> to begin with.  We're behind a Checkpoint FW and when the laptop is
> used off site it is also behind a FW appliance.  This laptop runs W2K
> and has extensive software on it (belongs to a programmer) with VB,
> SQL, etc with ALL MS patches installed before the discovery.

A programmer with a portable PC probably has a lot of potential infection
vectors. Here are some ideas.

Hostile web pages are a perennial suspect, especially from advertisements.
We fight infection attempts from ads even on very legitimate and friendly
web sites. If you can determine when the client was installed (first by
assuming the file creation dates are not forged) you could correlate the
date and time to web logs or cached files. Some huge well-known holes just
got patched last week, and there are still plenty of unpatched problems in
IE. Was the My Computer security zone locked down?

If the user takes mail delivery through any server that does not strip
executables, there are plenty of custom trojans floating around that don't
get picked up by AV.

File infector viruses or trojaned programs could also have come onto the box
through almost any source.

If authentication ports are open at any point, someone could have cracked a
password to get into the box.

HTH



---------------------------------------------------------------------------
----------------------------------------------------------------------------