Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: One explanation for SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
One explanation for

Simon wrote in with the following:

Just a note to let you know that I've seen the occasional bit of targeted two-part malware that uses an apparent loopback URL, explaining the URL in

Part one of the malware rewrote the LMHOSTS file so that the URL resolved to a malicious address. Part two then directed probed users to that URL; users who hadn't fallen for the first part got a bad link (and didn't realise the implications), while users who fell for the first part picked up malware. The site in question (now down) used a frameset to attack the usual laundry list of browser flaws, while displaying localhost. This results in the error message in IE6 looking very similar between compromised and non-compromised hosts.

Further, when the second part got sent down to us for analysis, it wasn't immediately recognised as a serious threat; how dangerous can be? It was only when we discovered the changes to LMHOSTS that we realised we were in trouble.

Thanks Simon!

Adrien de Beaupré

I will be teaching next: Network Penetration Testing and Ethical Hacking - SANS London November 2020

Adrien de Beaupre

353 Posts
ISC Handler
Mar 4th 2008

Sign Up for Free or Log In to start participating in the conversation!