I’ve been absent from the blog lately due to a number of pressing projects, one which was rebuilding a friend’s Windows XP box after a trojan massacre (and I thought only auditors stabbed the wounded — you should have seen the legions on that box).
When I delivered the newly minted OS and applications, my friend informed me that another set of email spam was sent from her Hotmail account at 3:20 am that morning. She asked me whether I was working on the PC at the time. I told her that not only was her PC turned off at that time, it was unplugged.
It was then that my friend (and yes, I pick on my friends, anonymously of course) said:
Since the PC was off, that proves that the trojans on my PC were not involved in the email spam. It wasn’t my fault after all!
It was true that her wiped, reloaded PC had nothing to do with it. But as I explained to her, if you PC gets severely infected, and then your email account starts sending spam, it’s much more likely that the infections caused it versus someone guessing her email account password out of the blue.
I asked her whether she had immediately reset her Hotmail account password right away like I suggested (at a computer that she trusted, not hers).
“No, she said, “I thought you meant my OS password, so I changed it on my PC. I can’t change my OS password unless I’m at home.”
I can’t argue with that kind of logic. Too bad she got confused, because the first spam volley was only 20 people. The next volley, which would have been stopped by the Hotmail password change, went to over a 100 people, including people with which she had interviewed.
When she did finally change her Hotmail password, I also made her change her security questions, just in case the attacker changed those while he had access.
I also told her to change her online banking password, but she didn’t seem to see the connection. I tried to explain that the email and bank passwords aren’t connected, but that the trojan was common to both, meaning all her passwords could be compromised. I urged her to change them all, but at least the bank password.
Cuz I can reload OSes, but not bank accounts.
—-
Read other Quotes of the Weak
ITauditSecurity 
Now, if you had only taken the time to grab an image of that machine before wiping and reloading. I know a certain forensics n00b that would have done a full breakdown of the infection mechanism for you.
LikeLike
Grayson,
I thought about that (and you), but didn’t have time. She was a difficult person to deal with and I needed to turn it around fast. Plus, I have a lot of studying to do on other topics.
Also, so much was wrong on that box. Would have been a spaghetti mess (sounds like fun, huh?).
Thanks for stopping by.
LikeLike