Slashdot Mirror


Microsoft Bypasses HOSTS File

whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."

13 of 459 comments (clear)

  1. Not a useful thing for MS to do by mgv · · Score: 5, Interesting

    I would have thought that if you cant subvert the HOSTS file then all you have to do is to intercept any DNS lookup of these MS addresses and you would have the same effect.

    If you are trying to stop MS software from talking to home, then just use an external firewall.

    Michael

    --
    There is no cryptographic solution to the problem where the intended receiver and the attacker are the same entity.
    1. Re:Not a useful thing for MS to do by whoever57 · · Score: 3, Interesting

      What is there to stop a virus making edits to the dll binary? Changing the strings that presently correspond to the IP addresses of MS domains to some random, invalid address?

      --
      The real "Libtards" are the Libertarians!
  2. Is this necessarily a bad thing? by BluhDeBluh · · Score: 5, Interesting

    It helps prevent Malware. Sure, MS might have a slim advantage, but it also prevents otherwise botted PCs from accessing MS Updates against things like Blaster. I don't see this as being such a big deal.

    1. Re:Is this necessarily a bad thing? by jpatters · · Score: 2, Interesting

      What this is just replacing the hosts file with something more obscure, the malware writers will simply learn how to modify it to do what they want. Meanwhile, you will have a false sense of security.

      --
      "Remember, there never were pineapple-almond cookies here."
    2. Re:Is this necessarily a bad thing? by Hex4def6 · · Score: 2, Interesting

      He speaks the truth.

      I have some older Thinkpads, and they all give a similar message, although I found a hack on the net that allowed one to bypass this restriction. You still get the message at bootup though, and have to press "ESC" to continue, which is a pain.

  3. Ad blocking by aembleton · · Score: 5, Interesting

    Microsoft could also be using this to prevent users from blocking MSN messenger ad servers.

    1. Re:Ad blocking by MT628496 · · Score: 2, Interesting

      I don't really think so. The types of people who run adblocking software are usually more technically advanced. Chances are that they won't be going to things like msn.com anyway and if they have to go to windows update, they'll be going whether there are ads or not.

      Doesn't the adblock firefox extension just not display the images from certain hosts? Programs that block ads by editing the hosts file remove things before they even get to adblock. I suppose that's the real reason that I don't really think so.

  4. I couldn't reproduce this on Win2K. by khasim · · Score: 3, Interesting

    I'm wondering if the behaviour will change if you just go into "services" and disable the DNS client.

    I recommend this anyway. In theory it will increase the number of requests your machine does. But in practice it has saved me a lot of "try rebooting" calls.

    Anyone out there with XP who can reproduce this?

    1. Re:I couldn't reproduce this on Win2K. by pla · · Score: 4, Interesting

      Anyone out there with XP who can reproduce this?

      Good idea, but no luck. Same result, though with one slight difference which might prove useful as a workaround - The first attempt timed out, meaning it really performs the query rather than having a hardcoded list of IP mappings. So if you ran a cacheing DNS proxy on your machine (ie, exactly what the built-in DNS service does, but one not containing a built-in Microsoft hack), pointed your machine's DNS to itself, and tell the proxy to use a bogus address for the sites in question, that should successfully block them.

      Better to do this at the firewall, though (a real external hardware firewall, not Microsoft's "trust us, this works" crap).

    2. Re:I couldn't reproduce this on Win2K. by pla · · Score: 2, Interesting

      So if you ran a cacheing DNS proxy on your machine

      Just an update - I just set up exactly such a proxy (DNRD) on my masq'ing gateway, and it works like a charm. So MS hasn't done anything too sophisticated to get around blacklisting them, just enough to count as a nuissance.

  5. Re:Yet Another Band-Aid? by moosesocks · · Score: 4, Interesting

    I've always found the /etc/ to be the funniest part of that path.

    This is one of the telltale remaints of the BSD-derived TCP/IP stack that NT/XP uses.

    Although the stack itself has been heavily modified, using /etc/ as the location for the hosts file still remains, along with other little hints -- ftp.exe is almost identical to the BSD FTP utility. BSD also gets properly credited in the XP copyright notice

    --
    -- If you try to fail and succeed, which have you done? - Uli's moose
  6. Re:They control the haiku by Psykechan · · Score: 3, Interesting

    (And my troll is in Haiku)

    Windows xp still better
    need to run useful software
    Mac and Linux are toys


    that is not quite right
    both the troll and the haiku
    are somewhat lacking

    but please understand
    Mac and Linux are not toys
    just other systems

    Windows has problems
    while it does have more software
    it is insecure

    please try something else
    you might find that you like it
    don't stagnate yourself

    if end users switch
    developers will follow
    more software for all

    so please help yourself
    and help the rest of the world
    try something else

    if you don't like them
    that is your prerogative
    simply don't use them

    but I'm warning you
    going back is much harder
    but it is your choice

    other OSes
    few viruses and malware
    true computing bliss

    as for poetry
    haiku sylable count is
    5-7-5

  7. rest of the FD thread by Cally · · Score: 2, Interesting

    Here's a threaded view of the Full Disclosure thread, rather than the first follow-up post to Dave Korn's OP, which the story submitter seems to have decided would be a better way... http://archives.neohapsis.com/archives/fulldisclos ure/2006-04/thread.html#268

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe