Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Virus Guy
May 28, 2016, 3:58 pm
rate this thread
1 out of 5
1 out of 5
customer at an ivy-league new-england university to download the file.
We put a link to the file in an email and send it to his university
Our webserver logs indicate the following IP's made requests for the
.exe file from our server at the times given:
At 11:37 am:
At 11:43 am:
a.b.c.d Ivy-League University (we presume this is our customer)
We then create a duplicate of the .exe file, but change the extension to
.gif, and again send a link to the .gif to the customer via email. We
then note the following hits to the .gif file:
Because I've seen those IP's performing what I think are unauthorized
access to our website in the past, I have them blocked from being able
to download anything. So their attempts to download the file in
question was denied.
Also, either the customer at the University didn't get the second email,
or didn't act on it (the logs don't show any attempt from an IP at the
University to download the .gif file).
We then perform a .zip compression on the gif file, and password protect
the file. We send an email to the customer describing how to download
the .zip file but don't actually spell out the URL to the file in the
We don't see any attempt to download the .zip file. Again we don't know
if the customer got this third email or not, but it appears that by not
including the exact url in the email the amazon and "your-server.de"
hosts were not made aware of the existance of this file (and hence made
no attempt to download it).
The next day we see the following
220.127.116.11 MSFT 15:58
18.104.22.168 MSFT 16:01
That IP does not resolve to any host-name, but the IP is assigned to
Micro$haft. The request was for the .exe file (and the request was
So to me it looks like an email scanning security product is running
either at the University or on the customer's PC, and this product is
scanning email messages looking for URL's and is performing a remote
access of the URL through a remote host(s), in this case machines
operated by amazon and "your-server.de" (Hetzner Online GmbH).
Does anyone know of such a security product or network security device
that utilizes distributed access to remote systems hosted by amazon or
Also, any ideas about the nature of the hit to the file from an MSFT IP?
Re: What anti-virus product or device is responsible for this activity?
It COULD be scanning for malware. I suggest trying an
extension that could not possibly contain malware, and if they attempt
to download that, it's just plain spying/datamining your private
WOW, that would be a surprise !!!
Don't be evil - Google 2004
We have a new policy - Google 2012
- » How a Bad UI Decision From Microsoft Helped Macro Malware Make a Comeback
- — Next thread in » Anti-Virus Software
- » Ransomware maker TeslaCrypt shuts down after releasing master key
- — Previous thread in » Anti-Virus Software
- » How can x64 systems run 32-bit software?
- — The site's Newest Thread. Posted in » Computer Hardware