>Since the original "hidusi[.]com" domain was down, we needed to host our version of side.html. Hosting a file is easy, but how do we make the Word document use our domain instead
What's interesting here is the author just didnt host their own internal dns infrastructure. Editing the file is simple in it's own way, but I guess coming from an operations side I'd have setup a DNS and http server to handle it.
Author here. Yes simply editing my hosts file would have been much easier. The reason I went the longer approach of setting up the payload on a remote web server was because there is the concept of security zones in Internet Explorer. Visiting localhost in Internet Explorer gets treated with a different level of trust compared to randomwebsite.com. For example, if you go to your security settings in Internet Explorer, there is an "Internet" zone but also a "Local intranet" zone. If you compare the two, you'll see they have different security settings. By hosting the payload on an external domain, we ensure that we are simulating an identical environment that existed for the attack (and are not subject to a different level of trust).
Nice, even before clicking I figured OLE would be involved somehow.
This sort of malware reversing/analysis is always a fun trip to me, and the few times I’ve got to do anything even remotely like that it’s been a revival of my interests in computers. Sadly I’m not particularly good when it comes to reverse engineering code (and don’t have access to Ida Pro’s decompiler).
Readit News
What's interesting here is the author just didnt host their own internal dns infrastructure. Editing the file is simple in it's own way, but I guess coming from an operations side I'd have setup a DNS and http server to handle it.
No need to set up DNS at all.
Your system will resolve whatever hostnames you want to whatever IP addresses you want. You just add the entries to a text file.
It will always override whatever results come from DNS.
The author definitely went the long way with this approach.
In general when performing malware analysis you want a logging DNS cache to keep track of any lookup the software makes.
>It will always override whatever results come from DNS.
there are limitations, good luck overriding ctldl.windowsupdate.com https://forums.mydigitallife.net/threads/windows-10-hosts-fi...
This sort of malware reversing/analysis is always a fun trip to me, and the few times I’ve got to do anything even remotely like that it’s been a revival of my interests in computers. Sadly I’m not particularly good when it comes to reverse engineering code (and don’t have access to Ida Pro’s decompiler).
Deleted Comment