One explanation for 127.0.0.1

Published: 2008-03-04
Last Updated: 2008-03-04 18:51:53 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Simon wrote in with the following:

Just a note to let you know that I've seen the occasional bit of targeted two-part malware that uses an apparent loopback URL, explaining the URL in http://isc.sans.org/diary.html?storyid=4048

Part one of the malware rewrote the LMHOSTS file so that the URL resolved to a malicious address. Part two then directed probed users to that URL; users who hadn't fallen for the first part got a bad link (and didn't realise the implications), while users who fell for the first part picked up malware. The site in question (now down) used a frameset to attack the usual laundry list of browser flaws, while displaying localhost. This results in the error message in IE6 looking very similar between compromised and non-compromised hosts.

Further, when the second part got sent down to us for analysis, it wasn't immediately recognised as a serious threat; how dangerous can 127.0.0.1 be? It was only when we discovered the changes to LMHOSTS that we realised we were in trouble.

Thanks Simon!

Cheers,
Adrien de Beaupré

Keywords:
0 comment(s)

Comments


Diary Archives