Janet network CSIRT recently provided guidance to a Janet-connected organisation that experienced a malware infection. The site performed a full analysis of the incident and wrote a post mortem of the event and the lessons learned from it. The report was created initially for internal use, but they have kindly allowed us to publish a redacted version, in case it is useful for other institutions:
1 Summary
The period of protection offered by the joint action between the NCA and FBI ends at 00:00BST on Tuesday 17 June. We recommend that you take full advantage of the remaining time and clean up any infected hosts.
As you may now be aware, the FBI and NCA are coordinating 'global day of action' against the Zeus-P2p and Cryptolocker families of malware. Law enforcement and industry partners will be collaborating to interrupt infrastructure vital to the malware's operation and to raise public awareness of these threats.
We've disabled our monitoring of netflow feeds for W32/Conficker/Downadup infections. Given the decreasing number of vulnerable systems, the wide awareness of this issue and the low threat posed by the malware we've decided it was no longer worth the effort and resources to maintain a system that was generating a handful of alerts each day.
Our reports of infections will continue, but they'll only be sourced from data sent to us by third parties such as Shadowserver.
Microsoft's recent take down of domains related to Citadel (a varient of Zeus) botnets has unfortunatly also taken down a number of sinkhole domains that were being used by researchers to monitor and report on Citadel infections.
As a result of this our reporting of Citadel and Zeus infections may see a drop in the coming weeks. Any decrease in the number of infections seen at a particular site may be due to this lack of visibility.