This is an after action report (Army lingo) for a problem I have been
working on the last few days. Here is what happened.
Due to other activities and pure laziness, I hadn't reviewed my firewall
logs in a few weeks. I sat down to work thru them and noticed an incredible
amount of ICMP traffic from altavista and yahoo being blocked every day.
The traffic would start about 8 AM and end about 5 PM and it was all ICMP
code 0 type 0 which is an echo reply, all with a destination of one of my
user PCs. I managed to track down the user and luckily, it was one of our
Directors who was a former IS person and a friend of mine. This was lucky
because regular users are very hesitant to admit doing anything non-work
related but this guy will be honest and understands my business.
Anyway, I started snooping his IP from the Internet interface on my firewall
and saw almost a constant stream of traffic from his PC to Lycos, AltaVista
and Yahoo. We run Windows 95 so I pulled up a his task list and everything
looked normal excpet something called CD_Load. I searched for it on his
hard disk and sure enough, installed in c:\windows\system was an exe called
CD_Load.exe. Looking at the properties of it, it had been installed on the
day the traffic started and it was a program created by some company called
CyDoor and was designed to deliver advertising to his PC. I found it in the
registry under HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. On
the date in question, this guy had downloaded and installed a free Tetris
game and along with that, he must have gotten this ad delivery garbage.
I just thought you all might like to know about this in case you see
something similar. This one PC was spewing a couple 100 or more packets a
minute without the user touching the keyboard or for that matter, even being
aware it was happening. At this time, I allow my users carte-blanche to the
Internet and while I understand the security problems with this, I haven't
been able to get my hands around what they need and what they don't in order
to lock them down (locking it down to see who screams is NOT an option).
Be careful out there.
Jim Edwards
Systems Manager
Texas Secretary of State
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
