Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows Dcom Worm planned DDoS

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Wed, 13 Aug 2003 11:38:57 +1200
Sebastian Niehaus <killedbythoughts () mindcrime net> to me:


And, of course, if MS started messing with the DNS entries for 
windowsupdate.com, it would be cutting an awful lot of users off from 
much needed updates. which could be as disturbing as the rest of the 
worm's effects...


Could be a nice feature of a worm to modify the "hosts" file and
prevent infected maschines to do DNS lookups.

Users typing "www.microsoft.com" into their browsers could be tricked
into downloading stuff from hostile servers and the "windows update"
could be disabeled easily.

This probably istn't a new concept, eh?


Correct about messing with the hosts file -- has been used by various 
adware, spyware and browser hijackers for various purposes and 
occasionally by other malware to, for example, block access to AV 
and/or other security sites (pointing www.<company>.com to 127.0.0.1 
for example).  Offhand I don't recall it being used specifically to 
target Windows Update or other MS sites with the intention of causing 
the user to unwittingly d/l something malicious (in general, if a piece 
of malware has this level of access to the victim's machine it probably 
can do much, if not all, it needs without engaging in network address 
subterfuges...).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: