Slashdot Mirror
Microsoft Bypasses HOSTS File
whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites.
The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."
I would have thought that if you cant subvert the HOSTS file then all you have to do is to intercept any DNS lookup of these MS addresses and you would have the same effect.
If you are trying to stop MS software from talking to home, then just use an external firewall.
Michael
There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
It helps prevent Malware. Sure, MS might have a slim advantage, but it also prevents otherwise botted PCs from accessing MS Updates against things like Blaster. I don't see this as being such a big deal.
Microsoft could also be using this to prevent users from blocking MSN messenger ad servers.
I'm wondering if the behaviour will change if you just go into "services" and disable the DNS client.
I recommend this anyway. In theory it will increase the number of requests your machine does. But in practice it has saved me a lot of "try rebooting" calls.
Anyone out there with XP who can reproduce this?
. . . those other sites do not play into what MicroSoft sees as the "integrity" of their product.
Which integrity might that be? The same integrity that allows malware to infect a machine to the point where it can poison the hosts file? The same integrity that spawned the anti-malware business in the first place?
Yeah. Microsoft is big on integrity, both moral and technical.
Microsoft is to software what Budweiser is to beer.
You know, I would bet money that were Apple doing this, people would claim it's just vertical market integration .. why should they make things easy for spyware vendors etc.
.. it's considered ethical and benevolent.
Apple won't allow others to create DRM enabled files that play on the iPod. Other mp3 players are prevented from being able to play songs bought on iTunes (unless you go the roundabout, dubiously legal (read the contract), route of ripping to CD and then copying the mp3's on there). This is all considered "fair" and a brilliant example of vertical integration.
It seems to me that as far as people are concerned, anything Microsft does is evil, but if Apple does the exact same thing
I've always found the /etc/ to be the funniest part of that path.
/etc/ as the location for the hosts file still remains, along with other little hints -- ftp.exe is almost identical to the BSD FTP utility. BSD also gets properly credited in the XP copyright notice
This is one of the telltale remaints of the BSD-derived TCP/IP stack that NT/XP uses.
Although the stack itself has been heavily modified, using
-- If you try to fail and succeed, which have you done? - Uli's moose
(And my troll is in Haiku)
Windows xp still better
need to run useful software
Mac and Linux are toys
that is not quite right
both the troll and the haiku
are somewhat lacking
but please understand
Mac and Linux are not toys
just other systems
Windows has problems
while it does have more software
it is insecure
please try something else
you might find that you like it
don't stagnate yourself
if end users switch
developers will follow
more software for all
so please help yourself
and help the rest of the world
try something else
if you don't like them
that is your prerogative
simply don't use them
but I'm warning you
going back is much harder
but it is your choice
other OSes
few viruses and malware
true computing bliss
as for poetry
haiku sylable count is
5-7-5
Might take a little googling, and Im lazy at the moment, but I had the exact same problem. Its a small .com file fix that changes one bit in the IBM BIOS. Run it from a boot floopy and all is well... And once done it didn't display any messages, it just worked as it should.
The idea of adding entries to the routing table has already been foreseen by Microsoft.
/WINDOWS/WIN32/HELPFILES. /hosts with those from a legitimate Microsoft server. Should it's results differ from the expected ones, it will know that in turn, IE has become compromised and also requires to be replaced from the clean backup directory.
It examines new rules, and if it finds one of the kind:
"route ADD 207.46.225.221 GATEWAY 127.0.0.1 METRIC 1"
then the rule is declared invalid and ignored.
To prevent people working around this, the Win32::Registry service does an MD5sum on route.exe when the desktop is started. If it's MD5 does not match the result of an untouched file then the file is replaced with a clean copy from
Win32API::File::Time has been modified to scan the hosts file and compare the results of local lookups from
That's three levels of protection for the customer.
'Triple ply protection' if you will.
I don't think Linux has technologies like these fully integrated into the operating system. It's going to continue playing catch-up a long time before it can compete with us on deeply embedded security measures like these.
Here's a threaded view of the Full Disclosure thread, rather than the first follow-up post to Dave Korn's OP, which the story submitter seems to have decided would be a better way... http://archives.neohapsis.com/archives/fulldisclos ure/2006-04/thread.html#268
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
You know what this brings to mind? My block lists. In firestarter and Konqueror, Mozilla and Opera, I BAN the hell out of doubleshit! I also ban eqn, eqv, ad, point and some 150 or 200 subdomains.
But, it seems, though, double-dick caught on to people banning their asses, so what I have *I* noticed (don't know how long this/the following has been the case) is that our ***ISP's*** are hosting double click. That means that now, if you ban EVERY address spewing doubleshit, you're blocking your own ISP. It's pissing me off that Comcast **seems** to be hosting or handling doubleclick to make SURE something about your/my surfing habits WILL end up in doubledick's database.
This also, I guess could be similar to what ms **might** be doing. Has anyone traced their cookies, the bots, and the 1 pixel code crumbs, broken them open, and found their "home base"? I wouldn't be surprised if nowadays or in the past 6 years that the ms hosts file usage enables them to command your machine to randomly and in small bytes periodically send them some information about your activities, hardware, software, things your machine talks to on your LAN...
This could be the NEXT total information awareness arsenal piece: Wanna surf, doubledick (probably a federalized activity/government-funded entity by now) will get information. All your ISP has to do to assuage any "guilt" they may have is say what yahoo and others say: "WE COLLECT PRIVACY INFORMATION..." and create an umpteen-long document to deter rejection or complaint by MOST users.
I wish I could make heads or tails about what Ethereal finds, though. I wish I could find out enough about connections that try to come to my machine. Etherape helps, too, but I HATE doubledick with a passion. I block them and a slew of others, even though it nearly doubles or triples some page load.
Hmmm, interesting: image word/word image: "suffers"
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"