When I've written about performing incident response data collection (here and here), I've mentioned retrieving any available data from the clipboard. Others have mentioned the same thing. I've mentioned it as a way of collecting as complete a set of information as possible...what might appear to be the work of a Trojan may, in fact, be the doing of the user themselves. In the past, while working for a telecomm company, we found that a user was attempting to access routers using a GUI telnet app, and had copied the password he was using to the clipboard so that he could easily paste it into the GUI.
Just today, I saw this blog entry that identified malware that actually overwrites the contents of the clipboard, so that if the user pastes a URL into the address bar of the browser, the malicious one will be pasted instead.
So, just a thought...maybe it's about time for me to add entry back into my IR script. You can obtain a copy of pclip.exe here.
No comments:
Post a Comment