Slashdot Mirror
Microsoft Bypasses HOSTS File
whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites.
The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."
I agree. In addition, as much as I may think they should include other sites on that list, those other sites do not play into what MicroSoft sees as the "integrity" of their product. They're not out to make sure that you can get the latest update of Apache or OpenOffice or whatever; they want to make sure that you can update Windows to the latest version (one that might actually stop the malware they're trying to protect from) or get to a place where you can ask MicroSoft a question (which they may or may not answer, and if they do, the answer to which may or may not be helpful), or, heaven forbid, get to a place where you can order a new MicroSoft product (probably because you haven't realized it will have similar flaws to your current and older MS products).
"If God's on our side, he'll stop the next war." -- Bob Dylan
The solution exists. Running as standard user in Windows XP will prevent changes to the hosts file.
Because using an IP address for the program to access causes problems if your server's IP changes. Simple as that.
If the adware can change your hosts file then this is pretty useless anyway. Now all the software has to do is run a script that does the following
nslookup whatever.microsofts.domains
takes the list of return addresses and
route ADD destination MASK mask INVALID INVALID INVALID foreach
and your traffic to MS wont even leave the network card.
Actually, there's an anti-spyware available from Windows Update called "Malicous Software Removal Tool". I think it only targets the most common and popular types of hacks,
Whenever I hear the word 'Innovation', I reach for my pistol.
It turns out to be easier to subvert the hosts file than to intercept DNS lookup. There's a really easy way to replace the hosts file from an activex script. How you would subvert DNS from the same point of attack is unclear.
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
By MS doing this Host file management, they are admitting that most users don't use or know the host files, and the most probable reason for host file change, expecailly as it relates to MS, is an attack.
I should, in my user account have a wide variety of leeway. If I mess up, I or my qualified agent should be able to go to an admin account and troubleshoot. This measn that as long as I am running XP as a user, that should not mess up the admin host file.
When I think about this it seems that this seem like guns for airline pilots. We really don't want guns on board an aircraft. The proper fix is to make the cockpit an extremely secure location so that pilots can do thier job, which is not battle terrorists, but fly the plane. It has been shown that as long as a pilot is in control, and given certain leeway, the pilot has a good chance of halting dangerous activity with minimal danger. But simply securing the cockpit is not sexy enough and does not satisfy the ulterior motvies, so we find this other silly thing that does not help much, but does promote secondary goals.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
20 dollars, try free, like AVG. AVG is pretty nice it operates in stealth mode so your computers ports are invisible to probes and alerts you when any new program tries tries to phone home. And no I'm not affiliated or invested in AVG in any way I just think it's cool they make a good firewall available for free.
Yes it's propitiatory and closed source but at least free as in beer, shrug.
Anyway I only run Windows in a virtual pc. sandbox so it won't infect my real O.S.
Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?
If you want to bypass the hosts file all you need to do is connect by using the IP address as opposed to the DNS name. Sure it seems a bit more complicated or problematic (incase DNS->IP pointing changes) but Im sure all malware programs would rather specify an IP instead of DNS. I would if I was creating a malware program :-)
You're absolutely right about the root problem as running everything as admin. Almost all the malware that I've seen fails miserably unless run as admin, and that which does run can't infect the entire system. I guess the users that know enough to run as a normal user are the same ones that avoid that crap in the first place.
>What is there to stop a virus making edits to the dll binary? Changing the strings that presently
>correspond to the IP addresses of MS domains to some random, invalid address?
Yes, there is a mechanism built into Windows which uses digital signatures and a watchdog to prevent accidental (or deliberate) changes to sensitive DLLs. Any binary changes to any file will invalidate the signature on the DLL. This is more effective than tripwire or other such things whereby a checksum is held in another location since the DLL itself is signed using a PK and cannot be re-signed to hide the changes.
Windows File Protection: http://support.microsoft.com/?kbid=222193
- Oisin
PGP KeyId: 0x08D63965
why not just block them at the router level? or am I missing something obvious?
You don't need to break RSA - just replace the DLL that handles RSA with one that does nothing. Remember the PC is compromised - so the virus/spyware maker can do that and I think they have done it in the past.
Oh well, what the hell...
-Considering the most popular non-microsoft patches are to tcpip.sys and uxtheme.dll
Oddly enough, I just noticed this today with OS X.
Try creating a host entry over configuration.apple.com on 10.4.6.
If only most applications could run properly with user-level permissions.
I admin a tiny number of desktops and not one of them worked with user-level permissions.
-Mysterious errors
-Application functions that simply did not work.
These are *very* generic XPSP2/Win2k desktops with Office 2K/2003.
Initially, I was not deterred. With every hurdle crossed with ugly hacks, there was yet another error with no documented solution.
Someone posted a link to NIST(?) documentation that I eventually used. It's by far the best way to do a job that the OS was never designed to perform.
Mod parent way down
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Just look Here for more info:
= /library/en-us/dns/dns/dnsquery.asp
a ys=9999~start=20#15902844
http://msdn.microsoft.com/library/default.asp?url
Also you can defeat a Host file by simply changing the priority of lookups using the registry, more here:
http://www.dslreports.com/forum/remark,15900699~d
Black Gray White Hats Unite to protect http://testing.OnlyTheRightAnswers.com
Here' a simple solution to the Microsoft controlled DNS HOSTS file:
http://treewalkdns.com/
Allows you to bypass Windows' own DNS server and gives you the useful feature of making DNS queries much quicker than resolving to your ISP all the time, among other benefits.
Very easy to install for Joe User and just as easy to uninstall.
HTH
Visceral Psyche Films