Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: One explanation for 127.0.0.1 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
One explanation for 127.0.0.1

Simon wrote in with the following:

Just a note to let you know that I've seen the occasional bit of targeted two-part malware that uses an apparent loopback URL, explaining the URL in http://isc.sans.org/diary.html?storyid=4048

Part one of the malware rewrote the LMHOSTS file so that the URL resolved to a malicious address. Part two then directed probed users to that URL; users who hadn't fallen for the first part got a bad link (and didn't realise the implications), while users who fell for the first part picked up malware. The site in question (now down) used a frameset to attack the usual laundry list of browser flaws, while displaying localhost. This results in the error message in IE6 looking very similar between compromised and non-compromised hosts.

Further, when the second part got sent down to us for analysis, it wasn't immediately recognised as a serious threat; how dangerous can 127.0.0.1 be? It was only when we discovered the changes to LMHOSTS that we realised we were in trouble.

Thanks Simon!

Cheers,
Adrien de Beaupré

I will be teaching next: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques - SEC642 | Adv Pen Test | Jul 13 ET

Adrien de Beaupre

353 Posts
ISC Handler
Mar 4th 2008

Sign Up for Free or Log In to start participating in the conversation!