[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Windows Dcom Worm planned DDoS
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] Windows Dcom Worm planned DDoS
- From: Nick FitzGerald <nick@virus-l.demon.co.uk>
- Date: Wed, 13 Aug 2003 11:38:57 +1200
Sebastian Niehaus <killedbythoughts@mindcrime.net> to me:
> > And, of course, if MS started messing with the DNS entries for
> > windowsupdate.com, it would be cutting an awful lot of users off from
> > much needed updates. which could be as disturbing as the rest of the
> > worm's effects...
>
> Could be a nice feature of a worm to modify the "hosts" file and
> prevent infected maschines to do DNS lookups.
>
> Users typing "www.microsoft.com" into their browsers could be tricked
> into downloading stuff from hostile servers and the "windows update"
> could be disabeled easily.
>
> This probably istn't a new concept, eh?
Correct about messing with the hosts file -- has been used by various
adware, spyware and browser hijackers for various purposes and
occasionally by other malware to, for example, block access to AV
and/or other security sites (pointing www.<company>.com to 127.0.0.1
for example). Offhand I don't recall it being used specifically to
target Windows Update or other MS sites with the intention of causing
the user to unwittingly d/l something malicious (in general, if a piece
of malware has this level of access to the victim's machine it probably
can do much, if not all, it needs without engaging in network address
subterfuges...).
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html