Ian (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
lovingboth) wrote2005-01-13 01:57 pm
lovingboth) wrote2005-01-13 01:57 pm
Entry tags:
Hmmm...
Update: it seems this odd "feature" of windowsupdate - you know, the way you get critical security patches - is indeed genuine. Gosh.
Remember the person who ran an attachment on an email pretending to be from his hotmail account which he knew he didn't send?
Something interesting is happening on our PCs, and although Sophos reckons there's no infection, it may well be linked.
Can you run the following two from the command line (Windows 9x: Start / Programs / MS-DOS Prompt, Win 2k/XP: Start / Programs / Command line, Linux: ... probably don't need to be told!)
ping windowsupdate.microsoft.com
ping v4.windowsupdate.microsoft.com
(Ping sends a small 'hello' message to the destination and expects a 'hello' back, but it's the IP address I'm particularly interested in...)
What's the result?
Remember the person who ran an attachment on an email pretending to be from his hotmail account which he knew he didn't send?
Something interesting is happening on our PCs, and although Sophos reckons there's no infection, it may well be linked.
Can you run the following two from the command line (Windows 9x: Start / Programs / MS-DOS Prompt, Win 2k/XP: Start / Programs / Command line, Linux: ... probably don't need to be told!)
ping windowsupdate.microsoft.com
ping v4.windowsupdate.microsoft.com
(Ping sends a small 'hello' message to the destination and expects a 'hello' back, but it's the IP address I'm particularly interested in...)
What's the result?
Re: Rather than that...
I'm pretty sure this is just plain old outsourcing - Savvis does serious heavy-lifting network stuff, and Microsoft is one of their big name punters.
(Incidentally, I'm not surprised that the hosts in question drop pings on the floor - that's just what I'd do with such high-profile sites that to any script kiddie have "DoS ME!" written in foot-high letters of fire on 'em.)
Re: Rather than that...
Then whenever the victim types in www.mybank.com or whatever, they end up on your fake site. Doesn't matter that you haven't hacked mybank.com's DNS, and there's no suspicious links to click on.
If you're really clever, the trojan deletes itself so when AV companies catch on, the PC looks clean.
Evil, but brilliant.
(I didn't think not responding to pings was suspicious! I wasn't happy that www.nsatc.net doesn't work though.)