Video Screencast Help
Security Community Blog

When you can't access AV vendor websites

Created: 21 Apr 2009 • 1 comment
BNH's picture
+2 2 Votes
Login to vote

In the past, we see threats modify Windows host file to redirect AV vendor websites to 127.0.0.1 loopback address.
Some security software also injects known bad URLs into the same host file with 127.0.0.1 loopback address.

Well nowadays the bad guys are getting smart and does more advanced stuff than host file modification.

In few recent malwares [ie. Conficker aka Downadup], we see that infected machines are unable to access AV vendor sites although the host file is empty.
And ping to av website yield a 127.0.0.1 address resolution.

Well now there are a few tricks we can do to evade this issue.

Its an old trick by removing DNS cache on our machine and check it everytime required to the DNS server.
Microsoft has a KB for this as written in support.microsoft.com/kb/318803 .
It is as simple as typing : 'net stop dnscache' or 'sc servername stop dnscache' [without ''] in your Start -> Run box.

And again, you can always visit www.confickerworkinggroup.org/infection_test/cfeyechart.html for an eye test :)

Comments 1 CommentJump to latest comment

SAM_SHAIKH's picture

HI,

The above document really helped me as we were facing such issues in our company.

Thanks and keep posting such valuable information.

Rgrds,
SAM

0
Login to vote