Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: One explanation for SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
One explanation for

Simon wrote in with the following:

Just a note to let you know that I've seen the occasional bit of targeted two-part malware that uses an apparent loopback URL, explaining the URL in

Part one of the malware rewrote the LMHOSTS file so that the URL resolved to a malicious address. Part two then directed probed users to that URL; users who hadn't fallen for the first part got a bad link (and didn't realise the implications), while users who fell for the first part picked up malware. The site in question (now down) used a frameset to attack the usual laundry list of browser flaws, while displaying localhost. This results in the error message in IE6 looking very similar between compromised and non-compromised hosts.

Further, when the second part got sent down to us for analysis, it wasn't immediately recognised as a serious threat; how dangerous can be? It was only when we discovered the changes to LMHOSTS that we realised we were in trouble.

Thanks Simon!

Adrien de Beaupré

Adrien de Beaupre

353 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!