Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Ongoing Infection

From: Livio Ricciulli <livio () METAFLOWS COM>
Date: Fri, 27 Mar 2015 10:48:59 -0700
Hi, we have noticed an ongoing infection in some our edu customers networks that is compromising Personal Identifiable Information systems. It is actively spreading very efficiently through email attachments (a common one is invoice.zip). 

It looks like the smoking gun is:
/snort-trojan-activity/trojan/chrome/: 1.2020308:ET TROJAN Dyre Downloading Mailer
I would strongly encourage you to look for this or similar signature on your networks.. In a few cases, after the infection, there are multiple downloads from ms671.moonshot.fastwebserver.de <https://nsm.metaflows.com/sockets/historical.php?aquery=2020308&w=any&hist_count=8000#89.163.220.162> "GET /ml1from1.tar" (not actually a tar file, some kind of encoded DBase file) 

I hope this helps!

--
Livio Ricciulli
MetaFlows Inc
w +1(408) 457-1895
m +1(408) 835-5005
Previous By Date Next
Previous By Thread Next

Current thread: