Udostępnij za pośrednictwem


I passed my CISSP exam

Well, nothing like getting all of my news out of the way in one go.

Because of my self imposed rule that all blogs must have some technical content:

Most bots don't use hard coded IP addresses for their command and control mechanism. Sometimes the engine of the bot is passed the IP address as a parameter but generally the malware does a DNS lookup. This helps the malware writer since it is fairly easy to kill a site and the DNS deref means that the site can be resurrected if WhiteHats take it down. However, it also gives us another tool.

Back in the history of the internet, there was a time when it wasn't that hard to recall the IP addresses of all the sites that you used because there were perhaps 5. When there 70 or so, people would download a list of sites and their IP addresses - the hosts file. Now we use DNS servers that look up any domain name but Windows will use the address in the hosts file first. This file is at %SystemRoot%\system32\drivers\etc\hosts and is just a plain text file with no file name extention. So, if a bit of malware wants to connect to www.mybadsite.com and you add an entry to the hosts file to 127.0..0.0 (remember that there is no place like home) then the malware will not be able to get commands or pass out information. That has largely broken it, buying you some time without otherwise breaking your infrastructure

 Signing off

 Mark

Comments