Simon wrote in with the following:
Just a note to let you know that I've seen the occasional bit of targeted two-part malware that uses an apparent loopback URL, explaining the URL in http://isc.sans.org/diary.html?storyid=4048
Part one of the malware rewrote the LMHOSTS file so that the URL resolved to a malicious address. Part two then directed probed users to that URL; users who hadn't fallen for the first part got a bad link (and didn't realise the implications), while users who fell for the first part picked up malware. The site in question (now down) used a frameset to attack the usual laundry list of browser flaws, while displaying localhost. This results in the error message in IE6 looking very similar between compromised and non-compromised hosts.
Further, when the second part got sent down to us for analysis, it wasn't immediately recognised as a serious threat; how dangerous can 127.0.0.1 be? It was only when we discovered the changes to LMHOSTS that we realised we were in trouble.
Adrien de Beaupré
I will be teaching next: Network Penetration Testing and Ethical Hacking - SANS London November 2020