Slashdot Mirror
Microsoft Bypasses HOSTS File
whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites.
The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."
I agree. In addition, as much as I may think they should include other sites on that list, those other sites do not play into what MicroSoft sees as the "integrity" of their product. They're not out to make sure that you can get the latest update of Apache or OpenOffice or whatever; they want to make sure that you can update Windows to the latest version (one that might actually stop the malware they're trying to protect from) or get to a place where you can ask MicroSoft a question (which they may or may not answer, and if they do, the answer to which may or may not be helpful), or, heaven forbid, get to a place where you can order a new MicroSoft product (probably because you haven't realized it will have similar flaws to your current and older MS products).
"If God's on our side, he'll stop the next war." -- Bob Dylan
The solution exists. Running as standard user in Windows XP will prevent changes to the hosts file.
If the adware can change your hosts file then this is pretty useless anyway. Now all the software has to do is run a script that does the following
nslookup whatever.microsofts.domains
takes the list of return addresses and
route ADD destination MASK mask INVALID INVALID INVALID foreach
and your traffic to MS wont even leave the network card.
20 dollars, try free, like AVG. AVG is pretty nice it operates in stealth mode so your computers ports are invisible to probes and alerts you when any new program tries tries to phone home. And no I'm not affiliated or invested in AVG in any way I just think it's cool they make a good firewall available for free.
Yes it's propitiatory and closed source but at least free as in beer, shrug.
Anyway I only run Windows in a virtual pc. sandbox so it won't infect my real O.S.
Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?
You're absolutely right about the root problem as running everything as admin. Almost all the malware that I've seen fails miserably unless run as admin, and that which does run can't infect the entire system. I guess the users that know enough to run as a normal user are the same ones that avoid that crap in the first place.
>What is there to stop a virus making edits to the dll binary? Changing the strings that presently
>correspond to the IP addresses of MS domains to some random, invalid address?
Yes, there is a mechanism built into Windows which uses digital signatures and a watchdog to prevent accidental (or deliberate) changes to sensitive DLLs. Any binary changes to any file will invalidate the signature on the DLL. This is more effective than tripwire or other such things whereby a checksum is held in another location since the DLL itself is signed using a PK and cannot be re-signed to hide the changes.
Windows File Protection: http://support.microsoft.com/?kbid=222193
- Oisin
PGP KeyId: 0x08D63965
Just look Here for more info:
= /library/en-us/dns/dns/dnsquery.asp
a ys=9999~start=20#15902844
http://msdn.microsoft.com/library/default.asp?url
Also you can defeat a Host file by simply changing the priority of lookups using the registry, more here:
http://www.dslreports.com/forum/remark,15900699~d
Black Gray White Hats Unite to protect http://testing.OnlyTheRightAnswers.com