Microsoft Bypasses HOSTS File

whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."

Not a useful thing for MS to do

[mgv (198488)]

I would have thought that if you cant subvert the HOSTS file then all you have to do is to intercept any DNS lookup of these MS addresses and you would have the same effect.

If you are trying to stop MS software from talking to home, then just use an external firewall.

Michael

I couldn't reproduce this on Win2K.

[khasim (1285)]

I'm wondering if the behaviour will change if you just go into "services" and disable the DNS client.

I recommend this anyway. In theory it will increase the number of requests your machine does. But in practice it has saved me a lot of "try rebooting" calls.

Anyone out there with XP who can reproduce this?

Re:I couldn't reproduce this on Win2K.

[pla (258480)]

Anyone out there with XP who can reproduce this?

Good idea, but no luck. Same result, though with one slight difference which might prove useful as a workaround - The first attempt timed out, meaning it really performs the query rather than having a hardcoded list of IP mappings. So if you ran a cacheing DNS proxy on your machine (ie, exactly what the built-in DNS service does, but one not containing a built-in Microsoft hack), pointed your machine's DNS to itself, and tell the proxy to use a bogus address for the sites in question, that should successfully block them.

Better to do this at the firewall, though (a real external hardware firewall, not Microsoft's "trust us, this works" crap).

Re:Not a useful thing for MS to do

[Surt (22457)]

It turns out to be easier to subvert the hosts file than to intercept DNS lookup. There's a really easy way to replace the hosts file from an activex script. How you would subvert DNS from the same point of attack is unclear.

Re:Not a useful thing for MS to do

[whoever57 (658626)]

What is there to stop a virus making edits to the dll binary? Changing the strings that presently correspond to the IP addresses of MS domains to some random, invalid address?

Re:Not a useful thing for MS to do

[x0n (120596)]

>What is there to stop a virus making edits to the dll binary? Changing the strings that presently
>correspond to the IP addresses of MS domains to some random, invalid address?

Yes, there is a mechanism built into Windows which uses digital signatures and a watchdog to prevent accidental (or deliberate) changes to sensitive DLLs. Any binary changes to any file will invalidate the signature on the DLL. This is more effective than tripwire or other such things whereby a checksum is held in another location since the DLL itself is signed using a PK and cannot be re-signed to hide the changes.

Windows File Protection: http://support.microsoft.com/?kbid=222193 [microsoft.com]

- Oisin

Re:Not a useful thing for MS to do

[Nasarius (593729)]

Except it's not very effective, is it? Is there anything stopping a system-level process (eg, malware) from grabbing the window handle and sending the appropriate keystrokes to dismiss the prompt? I haven't tested it myself, but I've used that technique successfully for the "unsigned driver" warnings. WFP lets you keep the unsigned driver/DLL with no further warnings if you press two buttons.

Is this necessarily a bad thing?

[BluhDeBluh (805090)]

It helps prevent Malware. Sure, MS might have a slim advantage, but it also prevents otherwise botted PCs from accessing MS Updates against things like Blaster. I don't see this as being such a big deal.

It's a Big Deal because...

[TubeSteak (669689)]

As mentioned in TFA's thread:

2) As far as I know, their malicious software removal tool didn't exist back when this behavior was created, so what good was keeping access to Microsoft open going to do an infected system? What good does it do to install a patch for a vulnerability that's already been exploited onto the computer of the archetypal "home user"?

MS hardcoded this in with WinXP SP2 & Win2k3 SP1.

Why? Maybe someone will get a comment from MS.

The point is that mucking around with the inner workings of the OS is BAD, unless it is documented appropriately. Now, documentation doesn't make it good, but if they're departing from the expected behavior, they should let people know.

Re:It's a Big Deal because...

[slashname3 (739398)]

The point is that mucking around with the inner workings of the OS is BAD

Stated like you control and/or own the OS running on your machine. This is just another example showing how Microsoft feels they should be the ones to control your system. There are many examples of this. Patches for applications that change things in the core operating system are common. Why a patch for office should change things in the OS never made any sense. But then Micrsoft knows best.

Re:Is this necessarily a bad thing?

[Morvandium (534213)]

I agree. In addition, as much as I may think they should include other sites on that list, those other sites do not play into what MicroSoft sees as the "integrity" of their product. They're not out to make sure that you can get the latest update of Apache or OpenOffice or whatever; they want to make sure that you can update Windows to the latest version (one that might actually stop the malware they're trying to protect from) or get to a place where you can ask MicroSoft a question (which they may or may not answer, and if they do, the answer to which may or may not be helpful), or, heaven forbid, get to a place where you can order a new MicroSoft product (probably because you haven't realized it will have similar flaws to your current and older MS products).

Re:Is this necessarily a bad thing?

[DrSkwid (118965)]

> I didn't even know about the hosts file until 5 minutes ago

and already you feel qualified to comment

Re:Is this necessarily a bad thing?

[jpatters (883)]

What this is just replacing the hosts file with something more obscure, the malware writers will simply learn how to modify it to do what they want. Meanwhile, you will have a false sense of security.

Re:Is this necessarily a bad thing?

[quarkscat (697644)]

Absolutely, yes, it is a bad thing.

Microsoft has:
        instituted not only License 6, but also "phone home" validation. At any time, MS may
        decide to shut down any business worldwide that uses their products, at their (or a
        malviolent government's) discretion;

        embraced and extended(tm) LDAP with kerberos authentication that is not industry-
        standard or cross-platform compatible;

        embraced and extended(tm) web browser standards that have made Internet and
        platform security a nightmare;

        implimented a software firewall (XP SP2) that doesn't actually control/restrict all
        incoming and outgoing packets, making the use of a third party (H/W?) firewall
        less redundant and more actually necessary;

        stripped nearly all OS improvements out of their upcoming flagship OS, excepting
        Digital Rights Restrictions -- which may also remotely disable or remove products
        and/or services which they choose to disallow for any reason.

Bypassing DNS and the hosts file on the OS platform is their "camel's nose under the
tent flap" for future modifications to the network stack, all in the name of their brand
of "security", which is (frankly) appalling. Given Microsoft's current product direction,
it is not outside the realm of possibility that the future average computer user's
experience will be some cross between a WebTV and an XBox.

Re:Is this necessarily a bad thing?

[NutscrapeSucks (446616)]

Actually, there's an anti-spyware available from Windows Update called "Malicous Software Removal Tool". I think it only targets the most common and popular types of hacks,

So what?

[nametaken (610866)]

People should know by now, when you go MS, you don't buy the horse, you buy the farm. You wanna segment and pick and choose on the MS platform? Good luck.

Re:So what?

[Aaden42 (198257)]

No, no... You just *license* the farm. MS still owns it. For a nominal fee, they'll let you step in the cow pies every second Tuesday.

Ad blocking

[aembleton (324527)]

Microsoft could also be using this to prevent users from blocking MSN messenger ad servers.

Re:Ad blocking

[forgotten_my_nick (802929)]

why not just block them at the router level? or am I missing something obvious?

Permissions?

[tomstdenis (446163)]

tom@localhost ~ $ ls -l /etc/hosts
-rw-r--r-- 1 root root 519 Oct 19 12:13 /etc/hosts

....

Why can't windows just make the host files read only.

Re:Permissions?

[v1 (525388)]

Windows security is as effective as a screen door on a submarine.

It'd take the malware makers about an hour to find any of the what, probably 80 holes that would let them go around such windows security. A back-and-forth battle like that could easily go on for months if not years. In unix, security and permissions are the foundation, on top of which everything is built. In windows, security is a hack that was added on later with no due consideration during the initial design phase of windows. It's no wonder it's next to impossible to get it to work the way you want it to.

When you are designing security, the sad truth of it is, the user is the enemy. There's no nicer way to look at it. So it takes a great deal of care to design a security system that can withstand the assult of a user while at the same time being functional and serving the user. It's too late for windows to make those design considerations. They have errored on the side of functionality and sacrificed the security of the system. There is no fixing that.

Re:Permissions?

[Teancum (67324)]

Of course this is also following the assumption that the administrator of the systems you are talking about are also not the users who are on the computer systems.

The whole admin/user philosophy is based on the religion called the "High Priesthood of the Computer Temple", where you have to make special requests to a special unique class of individuals who control computer resources.

As for PC operating systems, in particular Microsoft OS platforms, they were designed for independent system operations where t

Re:Permissions?

[Alioth (221270)]

In the single user, single tasking non-networked PC world of the 1980s, the idea of the user always being the administrator was fine and not harmless. However, you can't take this model into the networked multi-user world and expect it to work. If Microsoft expects its software to work in the networked world, they must drop their single user single tasking philosophy.

Re:Permissions?

[jb.hl.com (782137)]

I'm sure it's lovely for you to be able to sit and say that Microsoft are complete retards, but truth is that for a company whose No. 1 business is making and selling software (or at the very least licenses to use that software) I'd expect them to have some pretty smart individuals working for them.

Re:Permissions?

[saleenS281 (859657)]

funny, I see write access by root there. And last I checked, when malware *owns* windows, it's local root, which means the permissions you speak of would amount to absolutely nothing... And btw, you can make it read only to normal users, but again, this would accomplish nothing.

Re:Permissions?

[tomstdenis (446163)]

Yes, but the motivation to ignore the hosts file is because of viruses that could overwrite it.

So ... if a user level virus couldn't write to the host file ...

Think about it.

Tom

Re:Permissions?

[secolactico (519805)]

So ... if a user level virus couldn't write to the host file ...

Which leads us back to the primordial Windows security problem: users running with admin priviledges.

In the example you provided in the previous post, /etc/hosts is writable only by root. If user runs as root all the time, then it's back to square one.

As far as I know Windows host file is only writable by Administrator level (dunno, I don't have a Windows machine with me right now). Is it otherwise?

Re:Permissions?

[Foolhardy (664051)]

On Windows Server 2003 SP1:

C:\WINNT\system32\drivers\etc\hosts
BUILTIN\Users :R
BUILTIN\Power Users:R
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

Normal and power users get read, Administrators and SYSTEM get full control, all inherited from the drivers directory.

You're absolutely right about the root problem as running everything as admin. Almost all the malware that I've seen fails miserably unless run as admin, and that which does run can't infect the entire system. I guess the users that know enough to run as a normal user are the same ones that avoid that crap in the first place.

Re:Permissions?

[Homology (639438)]

So ... if a user level virus couldn't write to the host file ...

Think about it.

Dear Tom,
this is Slashdot and the term "think" does not apply.

Re:Permissions?

[fermion (181285)]

So why does the host file have to live in userland, or why can't the computer prompt for the user to verify identiy when certain dangerous operations are about to occur.

By MS doing this Host file management, they are admitting that most users don't use or know the host files, and the most probable reason for host file change, expecailly as it relates to MS, is an attack.

I should, in my user account have a wide variety of leeway. If I mess up, I or my qualified agent should be able to go to an admin acco

Potentially unfair...

[Maul (83993)]

The main problem is not that you can't block MS addresses, it is that MS is only preventing their addresses from being blocked. Since they are now getting into the security business, this gives them what could be seen as an unfair advantage.

Let us say that Joe User gets a piece of Malware, so he decides to visit a security company to find a solution to his problem. However, the malware has modified his hosts file to block security company web pages from being accessed, which is extremely typical. Joe User is not experienced enough to even know there is a hosts file that he could change back.

Joe User's first attempt would likely be to norton.com, symantec.com (both go to Symantec's main page), or mcafee.com, since these names are pretty much synonymous with antivirus software. However, all of those are blocked and he can't access them.

However, if he goes to microsoft.com, he can go there since the hosts file is subverted in the OS. Since he can't spend the time to figure out why he can't access the others, he purchases Microsoft's AV solution.

Re:Potentially unfair...

[harlows_monkeys (106428)]

Let us say that Joe User gets a piece of Malware, so he decides to visit a security company to find a solution to his problem. However, the malware has modified his hosts file to block security company web pages from being accessed, which is extremely typical. Joe User is not experienced enough to even know there is a hosts file that he could change back

This is why antivirus/antispyware software should check for updates by IP address. If it can't find the update servers, only then should it do a DNS looku

Yet Another Band-Aid?

[displaced80 (660282)]

Hmm. This seems a bit ass-backwards to me.

Rather than having to ignore the HOSTS file because it may be malicious, shouldn't the solution be to prevent HOSTS from getting mangled in the first place?

(oh, and on an unrelated note: why on earth is the Win32 HOSTS file buried away under C:\Windows\System32\Drivers\etc\? I mean.... 'drivers'?!!? Bizarre.

Re:Yet Another Band-Aid?

[idesofmarch (730937)]

The solution exists. Running as standard user in Windows XP will prevent changes to the hosts file.

Re:Yet Another Band-Aid?

[moosesocks (264553)]

I've always found the /etc/ to be the funniest part of that path.

This is one of the telltale remaints of the BSD-derived [kuro5hin.org] TCP/IP stack that NT/XP uses.

Although the stack itself has been heavily modified, using /etc/ as the location for the hosts file still remains, along with other little hints -- ftp.exe is almost identical to the BSD FTP utility. BSD also gets properly credited in the XP copyright notice [microsoft.com]

Smart move from M$

[Fantasio (800086)]

How long before somebody poisons these adresses in the DNS servers ?

An automatic update of WMP and your PC gets owned, and nothing can be done to prevent it!

Re:Smart move from M$

[gclef (96311)]

Patches from MS are cryptographically signed. You need to do more than just poison teh DNS for these hosts. You need to either steal MS' private signing key or break RSA.

Let me know if you manage the second one.

Re:Smart move from M$

[HermanAB (661181)]

You don't need to break RSA - just replace the DLL that handles RSA with one that does nothing. Remember the PC is compromised - so the virus/spyware maker can do that and I think they have done it in the past.

Would be ok...

[thefogger (455551)]

...if Microsoft had documented this behavior. Yet still, I fail to see what the big deal is. So you can't force an IP address to a domain with hosts.txt for some sites that microsoft controls. If you need to do that, for example for some corporate filter or updating solution, you could just modify your own dns server. Home users on the other hand get more reliable access to windows update, which is very important. Otherwise it would be trivial for malware to block the computer from recieving updates, and the automatic updates would silently fail.

Cheers, Fogger

Route to null

[PlusFiveTroll (754249)]

If the adware can change your hosts file then this is pretty useless anyway. Now all the software has to do is run a script that does the following

nslookup whatever.microsofts.domains
takes the list of return addresses and
route ADD destination MASK mask INVALID INVALID INVALID foreach

and your traffic to MS wont even leave the network card.

Interference with my sig!

[Teun (17872)]

How nasty of MS to interfere with my sig!
Now I'll have to include a disclaimer...

Just another reason to continue using a more robust system :)

Sensationalism

[by Anonymous Coward]

Who cares?

Nothing prevents you from not using the operating system's resolver. Its trivial to implement your OWN DNS client in your programs, bypassing any HOSTS settings and other DNS resolver issues.

I've never seen so many people who were so clueless and misinformed about the technical issues involved here.

FUD flying low again

[Opportunist (166417)]

"Safeguarding" your hosts file against tampering is pointless. Yes, a few trojans toy with it. The ONLY place that's ever redirected afaik is updates.microsoft.com.

So this is going to be celebrated as the hack against malware that keeps you from updating. Ohhhh great. Ok, next move from the malware writers is simply to keep a thread running that checks if something is coming in from the "unwanted" sites. If so, it's deleted before execution. Problem solved.

There is no techical solution for social problems.

rest of the FD thread

[Cally (10873)]

Here's a threaded view of the Full Disclosure thread, rather than the first follow-up post to Dave Korn's OP, which the story submitter seems to have decided would be a better way... http://archives.neohapsis.com/archives/fulldisclos ure/2006-04/thread.html#268 [neohapsis.com]

Re:How is this a competitive advantage?

[MooUK (905450)]

Because using an IP address for the program to access causes problems if your server's IP changes. Simple as that.

Monopolies

[Tony (765)]

A court of law has determined that Microsoft is a monopoly. One of the anti-trust regulations specifies that you cannot use your monopoly power to force your way into another market; that was the heart of the conviction against Microsoft in the Netscape case. Microsoft used their monopoly to oust Netscape as the dominant browser by bundling, which is illegal.

Now they are using that same monopoly power to take over the anti-malware market.

I'm rather ambivilent about this. On one hand, it is just one more case of Microsoft waiting for a market to mature, then forcing their way into it. On the other hand, this market wouldn't exist if it wasn't for their own shoddy products, so it's really Microsoft's reponsibility to fix it. However, malware protection software isn't the correct answer, it's just the most expedient, with a potential for additional profit.

All-in-all, it's just Microsoft's usual game: own the system, rig the system, use that to take over another system. Keep secrets, and act all coy when your secrets are discovered.

Re:Monopolies

[toddestan (632714)]

How did Microsoft financially benefit from Internet Explorer's dominance? IE is and always has been a free product. More relevant to this topic

Back in the day, Netscape was developing web applications. This was kind of scary for Microsoft, as this shifted the focus away from the operating system and to the browser. Back then, Netscape ran on almost everything (Windows, Mac, Linux, BSD, OS/2, etc), and if in the future the user did all their work under web applicatons, then suddenly the underlying OS would become less important. Why spring for a Windows license to run Netscape when you could download Linux for free?

So Microsoft's response was Internet Explorer. At first it seemed that Microsoft was going with the Netscape route of supporting multiple platforms, but they quickly killed off everything but IE for Windows (Except for the Mac version, which lingered on quite a bit longer before finally getting axed). From there they made their browser not quite standards compliant (but close enough to get people to switch to it), and created ActiveX. They then integrated all of this into Windows and their respective server software. This made it easy for people to create Web applications and content that only worked properly under Internet Explorer for Windows, and many of these ended up being made - particularly for company intranets. At first, this seemed great for companies that basically ran Windows everywhere, but it also locked them into Microsoft's software. This is likely one of the reasons why Windows is still so dominant on the desktop, and is also one of the main reasons why in the bizarro-land of slashdot circa April, 2006, Mac users are so excited about running Windows on their Apple machines.

Of course, the threat of Web applications is coming around again, with open standards like XML threating to make your choice of OS less revelevent, and even your choice of browser unimportant (so long as it supports the open standards). I'm not sure what Microsoft has in store for this round (if anything), as IE7 seems to be too little, too late - and the popularity of Linux and OSX growing.

So in conclusion, Internet Explorer wasn't so much about crushing Netscape Navigator, as it was about crushing Web applications that could run everywhere.

Re:MSN

[mrraven (129238)]

20 dollars, try free, like AVG. AVG is pretty nice it operates in stealth mode so your computers ports are invisible to probes and alerts you when any new program tries tries to phone home. And no I'm not affiliated or invested in AVG in any way I just think it's cool they make a good firewall available for free.
Yes it's propitiatory and closed source but at least free as in beer, shrug.
Anyway I only run Windows in a virtual pc. sandbox so it won't infect my real O.S.

Re:They control the haiku

[Psykechan (255694)]

(And my troll is in Haiku)

Windows xp still better
need to run useful software
Mac and Linux are toys

that is not quite right
both the troll and the haiku
are somewhat lacking

but please understand
Mac and Linux are not toys
just other systems

Windows has problems
while it does have more software
it is insecure

please try something else
you might find that you like it
don't stagnate yourself

if end users switch
developers will follow
more software for all

so please help yourself
and help the rest of the world
try something else

if you don't like them
that is your prerogative
simply don't use them

but I'm warning you
going back is much harder
but it is your choice

other OSes
few viruses and malware
true computing bliss

as for poetry
haiku sylable count is
5-7-5

Re:WHY?

[Mister Transistor (259842)]

IIRC, it's a hangover from Windows 3.1 or maybe Win95.