[AusNOG] Strange call from supposed Antivirus vendor.

Pinkerton, Eric Eric.Pinkerton at team.telstra.com
Mon Jun 28 10:14:25 EST 2010


My imediate thought here is that you user has been pwned via social engineering, and my first action would be to disconnect his machine, until you can establish exactly what those commands were, and who was calling.   Especially since you are seeing other issues...

If you cant find a legitimate explanation very quickly then you should automatically assume the worst and act accordingly.

ISP's do occasionaly call account holders following abuse reports, or when it is obvious that their machine is infected from the traffic flows, but I have never heard of Norton doing this, and unless this guy is a Norton customer how would they get his phone number?


________________________________
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Luke Fuller
Sent: Monday, 28 June 2010 9:48 AM
To: Ausnog List
Subject: [AusNOG] Strange call from supposed Antivirus vendor.

Hi All,

A quick question some of you may have come across before or have advice on.

One of our users over the weekend had an strange phone call from a company supposedly 'Norton' stating that there computer is infected and they need to follow the following steps which they gave the user several CMD and registry commands. This was reported yesterday to us.

Has anybody else come across such a thing before ? The user is connected to our corporate WAN and a possibility that if it was infected it has spread as we are seeing issues pop up on some production servers.

Any advice on a standard response - we have already started to in depth  scan each server however also should we strengthen the IPS scanning for Malware, etc at network edge points ?

Very odd unless companies do contact end users however we use ESET through the corporate network . Any body else with similar experience with a strange call ?

Luke.


Luke Fuller

 [cid:880310100 at 28062010-2813]

COZmedics Medispas
Maroochydore - Level 1, 49 The Esplanade
Noosa - Suite 1.17, Noosa Medical & Professional Centre  90 Goodchap Street
Ascot - Level 1, 121 Racecourse Road
Kenmore - Suite 9, 2081 Moggill Road
, ,

Ph: 07 5409 4400
Fax: 07 5409 4444
Bookings: 1300 792 299
Web: www.cozmedics.com.au<http://www.cozmedics.com.au/>

[http://www1.cozmedics.com.au/imagestore/emailbannercoz.gif]<http://www.cozmedics.com.au/>

________________________________
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this email. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The organization accepts no liability for any damage caused by any virus transmitted by this email. Email transmission cannot be guaranteed to be secure or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of this message which arise as a result of email transmission.
__________

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100628/34dd276a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ATT00001..jpg
Type: image/jpeg
Size: 3844 bytes
Desc: ATT00001..jpg
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20100628/34dd276a/attachment.jpg>


More information about the AusNOG mailing list