There are tons of ways this could be happening. If it is HTML email, then there could be all kinds of code embedded in that email to run upon opening. If you use preview pane, you don't even need to open it for the code to execute. It will run by being viewed in preview pane. I have not seen this specific thing, but many many like it. All someone has done is embed active x commands in the email. Upon opening they execute. It is not really hard to do. They are preying on the fact that you allow HTML email. my 2 cents: You should first stop allowing HTML email. That is one of the easiest ways for arbitrary code to be executed on your host. Then you should revamp your security program to teach your users not to open things from unknown sources. As long as you allow HTML email, you can be subject to this type of attack. The risk is if it actually is able to connect to a site and load a backdoor trojan. This is where the real headaches begin. If html email is necessary for business (not sure how), then you should look at some sort of HIDS (host IDS) or email proxy/gateway that would scan this before it hit the host. Not sure what your local policy is, but if the users don't have many/any rights to change their system, then a backdoor trojan would not be able to load because it is attempting to write using the current users rights. There are all types of scenarios that I could right up and speak about concerning this. Bottom line is that this is a problem that you should address quickly because you can be sure to receive more of these types of things because the offender in this case will more than likely post what they have done somewhere. L *************************** Larry Whiteside Jr. Sr. Security Engineer -----Original Message----- From: Matt LaFelero [mailto:ramstrykeat_private] Sent: Wednesday, May 21, 2003 7:48 PM To: incidentsat_private Subject: Possible Intrusion Attempt? I'm hoping someone here might be able to shed some light on this situation.. Some of my users have been getting some interesting spam mail. This is the first time I've ever seen a spam mail do this. When the user opens the spam mail, all of a sudden, an Internet Explorer authentication boxes pops up. You know those that ask for username, password, and domain. Well, I run MS Proxy 2.0 here and the logon with a 2KPro machine is integrated so the user never sees this box or has to enter his/her password to get on the Web. It's strange that this email triggers the authentication box. What's even weirder is that it populates the username for them, with weird names. The names always seem to change from spam mail to spam mail. I've seen iterations like fluff, skank, morton, taxiway.. you name it. It seems most of the emails are HTML, which can explain a lot. None of them had attachments. From what I could gather it seems to attempting to load a site. We run Outlook 2000 with SP3 and all hotfixes. My question is, how is this happening and is it a threat? ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ---------------------------------------------------------------------------- ---------------------------------------------------------------------------- *** Wireless LAN Policies for Security & Management - NEW White Paper *** Just like wired networks, wireless LANs require network security policies that are enforced to protect WLANs from known vulnerabilities and threats. Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs. To get your FREE white paper visit us at: http://www.securityfocus.com/AirDefense-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri May 23 2003 - 10:05:29 PDT