Educause Security Discussion mailing list archives
Re: Ongoing Infection
From: Brad Judy <brad.judy () CU EDU>
Date: Fri, 27 Mar 2015 17:52:06 +0000
Also look for alerts for: 2020290 ET CURRENT_EVENTS Possible Dyre SSL Cert Jan 22 2015 This can indicate a machine that is infected, but has not (yet) downloaded the mailer to further spread the infection. Brad Judy Director of Information Security University Information Systems University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu [cu-logo_fl] From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Livio Ricciulli Sent: Friday, March 27, 2015 11:49 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Ongoing Infection Hi, we have noticed an ongoing infection in some our edu customers networks that is compromising Personal Identifiable Information systems. It is actively spreading very efficiently through email attachments (a common one is invoice.zip). It looks like the smoking gun is: /snort-trojan-activity/trojan/chrome/: 1.2020308:ET TROJAN Dyre Downloading Mailer I would strongly encourage you to look for this or similar signature on your networks.. In a few cases, after the infection, there are multiple downloads from ms671.moonshot.fastwebserver.de<https://nsm.metaflows.com/sockets/historical.php?aquery=2020308&w=any&hist_count=8000#89.163.220.162> "GET /ml1from1.tar" (not actually a tar file, some kind of encoded DBase file) I hope this helps! -- Livio Ricciulli MetaFlows Inc w +1(408) 457-1895 m +1(408) 835-5005
Current thread:
- Ongoing Infection Livio Ricciulli (Mar 27)
- Re: Ongoing Infection Brad Judy (Mar 27)
- Re: Ongoing Infection Livio Ricciulli (Mar 27)
- Re: Ongoing Infection Brad Judy (Mar 27)