James wrote in with the following:
Just a note to let you know that I've seen the occasional bit of targeted two-part malware that uses an apparent loopback URL, explaining the URL in
http://isc.sans.org/diary.html?storyid=4048
Part one of the malware rewrote the LMHOSTS file so that the URL resolved to a malicious address. Part two then directed probed users to that URL; users who hadn't fallen for the first part got a bad link (and didn't realise the implications), while users who fell for the first part picked up malware. The site in question (now down) used a frameset to attack the usual laundry list of browser flaws, while displaying localhost. This results in the error message in IE6 looking very similar between compromised and non-compromised hosts.
Further, when the second part got sent down to us for analysis, it wasn't immediately recognised as a serious threat; how dangerous can 127.0.0.1 be? It was only when we discovered the changes to LMHOSTS that we realised we were in trouble.
Thanks James!
Cheers,
Adrien de Beaupr
More...
Breakout Champion!
Linear Mode
