Sebastian Niehaus <killedbythoughtsat_private> to me: > > And, of course, if MS started messing with the DNS entries for > > windowsupdate.com, it would be cutting an awful lot of users off from > > much needed updates. which could be as disturbing as the rest of the > > worm's effects... > > Could be a nice feature of a worm to modify the "hosts" file and > prevent infected maschines to do DNS lookups. > > Users typing "www.microsoft.com" into their browsers could be tricked > into downloading stuff from hostile servers and the "windows update" > could be disabeled easily. > > This probably istn't a new concept, eh? Correct about messing with the hosts file -- has been used by various adware, spyware and browser hijackers for various purposes and occasionally by other malware to, for example, block access to AV and/or other security sites (pointing www.<company>.com to 127.0.0.1 for example). Offhand I don't recall it being used specifically to target Windows Update or other MS sites with the intention of causing the user to unwittingly d/l something malicious (in general, if a piece of malware has this level of access to the victim's machine it probably can do much, if not all, it needs without engaging in network address subterfuges...). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 17:43:43 PDT