Re: Ongoing Infection

[Brad Judy <brad.judy () CU EDU>]

Also look for alerts for: 2020290 ET CURRENT_EVENTS Possible Dyre SSL Cert Jan 22 2015

This can indicate a machine that is infected, but has not (yet) downloaded the mailer to further spread the infection.

Brad Judy

Director of Information Security
University Information Systems
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu

[cu-logo_fl]



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Livio 
Ricciulli
Sent: Friday, March 27, 2015 11:49 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Ongoing Infection

Hi, we have noticed an ongoing infection in some our edu customers networks that is compromising Personal Identifiable 
Information systems. It is actively
spreading very efficiently through email attachments (a common one is invoice.zip).

It looks like the smoking gun is:
/snort-trojan-activity/trojan/chrome/: 1.2020308:ET TROJAN Dyre Downloading Mailer

I would strongly encourage you to look for this or similar signature on your networks..
In a few cases, after the infection, there are multiple downloads from 
ms671.moonshot.fastwebserver.de<https://nsm.metaflows.com/sockets/historical.php?aquery=2020308&w=any&hist_count=8000#89.163.220.162>
 "GET /ml1from1.tar" (not actually a tar file, some kind of encoded DBase file)

I hope this helps!


--

Livio Ricciulli

MetaFlows Inc

w +1(408) 457-1895

m +1(408) 835-5005