Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Microsoft Bypasses HOSTS File

Posted by CmdrTaco on Sun Apr 16, 2006 12:10 PM
from the they-know-what's-best dept.
Microsoft Security
whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Microsoft Bypasses HOSTS File 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • I would have thought that if you cant subvert the HOSTS file then all you have to do is to intercept any DNS lookup of these MS addresses and you would have the same effect.

    If you are trying to stop MS software from talking to home, then just use an external firewall.

    Michael
      • >What is there to stop a virus making edits to the dll binary? Changing the strings that presently
        >correspond to the IP addresses of MS domains to some random, invalid address?

        Yes, there is a mechanism built into Windows which uses digital signatures and a watchdog to prevent accidental (or deliberate) changes to sensitive DLLs. Any binary changes to any file will invalidate the signature on the DLL. This is more effective than tripwire or other such things whereby a checksum is held in another location since the DLL itself is signed using a PK and cannot be re-signed to hide the changes.

        Windows File Protection: http://support.microsoft.com/?kbid=222193 [microsoft.com]

        - Oisin

      • Re:I couldn't reproduce this on Win2K. (Score:5, Interesting)

        by pla (258480) on Sunday April 16 2006, @06:14PM (#15139709) Journal
        Anyone out there with XP who can reproduce this?

        Good idea, but no luck. Same result, though with one slight difference which might prove useful as a workaround - The first attempt timed out, meaning it really performs the query rather than having a hardcoded list of IP mappings. So if you ran a cacheing DNS proxy on your machine (ie, exactly what the built-in DNS service does, but one not containing a built-in Microsoft hack), pointed your machine's DNS to itself, and tell the proxy to use a bogus address for the sites in question, that should successfully block them.

        Better to do this at the firewall, though (a real external hardware firewall, not Microsoft's "trust us, this works" crap).

  • Is this necessarily a bad thing? (Score:5, Interesting)

    by BluhDeBluh (805090) on Sunday April 16 2006, @12:12PM (#15138291)
    It helps prevent Malware. Sure, MS might have a slim advantage, but it also prevents otherwise botted PCs from accessing MS Updates against things like Blaster. I don't see this as being such a big deal.

    • It's a Big Deal because... (Score:5, Insightful)

      by TubeSteak (669689) on Sunday April 16 2006, @12:20PM (#15138335) Journal
      As mentioned in TFA's thread:
      2) As far as I know, their malicious software removal tool didn't exist back when this behavior was created, so what good was keeping access to Microsoft open going to do an infected system? What good does it do to install a patch for a vulnerability that's already been exploited onto the computer of the archetypal "home user"?
      MS hardcoded this in with WinXP SP2 & Win2k3 SP1.

      Why? Maybe someone will get a comment from MS.

      The point is that mucking around with the inner workings of the OS is BAD, unless it is documented appropriately. Now, documentation doesn't make it good, but if they're departing from the expected behavior, they should let people know.

    • Re:Is this necessarily a bad thing? (Score:5, Informative)

      by Morvandium (534213) on Sunday April 16 2006, @12:22PM (#15138346) Homepage
      I agree. In addition, as much as I may think they should include other sites on that list, those other sites do not play into what MicroSoft sees as the "integrity" of their product. They're not out to make sure that you can get the latest update of Apache or OpenOffice or whatever; they want to make sure that you can update Windows to the latest version (one that might actually stop the malware they're trying to protect from) or get to a place where you can ask MicroSoft a question (which they may or may not answer, and if they do, the answer to which may or may not be helpful), or, heaven forbid, get to a place where you can order a new MicroSoft product (probably because you haven't realized it will have similar flaws to your current and older MS products).

    • Re:Is this necessarily a bad thing? (Score:5, Insightful)

      by quarkscat (697644) on Sunday April 16 2006, @12:57PM (#15138532)
      Absolutely, yes, it is a bad thing.

      Microsoft has:
              instituted not only License 6, but also "phone home" validation. At any time, MS may
              decide to shut down any business worldwide that uses their products, at their (or a
              malviolent government's) discretion;

              embraced and extended(tm) LDAP with kerberos authentication that is not industry-
              standard or cross-platform compatible;

              embraced and extended(tm) web browser standards that have made Internet and
              platform security a nightmare;

              implimented a software firewall (XP SP2) that doesn't actually control/restrict all
              incoming and outgoing packets, making the use of a third party (H/W?) firewall
              less redundant and more actually necessary;

              stripped nearly all OS improvements out of their upcoming flagship OS, excepting
              Digital Rights Restrictions -- which may also remotely disable or remove products
              and/or services which they choose to disallow for any reason.

      Bypassing DNS and the hosts file on the OS platform is their "camel's nose under the
      tent flap" for future modifications to the network stack, all in the name of their brand
      of "security", which is (frankly) appalling. Given Microsoft's current product direction,
      it is not outside the realm of possibility that the future average computer user's
      experience will be some cross between a WebTV and an XBox.

  • So what? (Score:4, Insightful)

    by nametaken (610866) on Sunday April 16 2006, @12:14PM (#15138306)
    People should know by now, when you go MS, you don't buy the horse, you buy the farm. You wanna segment and pick and choose on the MS platform? Good luck.

  • Ad blocking (Score:5, Interesting)

    by aembleton (324527) <aembleton@NosPaM.gmail.com> on Sunday April 16 2006, @12:16PM (#15138316) Homepage
    Microsoft could also be using this to prevent users from blocking MSN messenger ad servers.

  • Permissions? (Score:5, Insightful)

    by tomstdenis (446163) <tomstdenis@@@gmail...com> on Sunday April 16 2006, @12:19PM (#15138329) Homepage
    tom@localhost ~ $ ls -l /etc/hosts
    -rw-r--r-- 1 root root 519 Oct 19 12:13 /etc/hosts

    ....

    Why can't windows just make the host files read only.

    • Re:Permissions? (Score:5, Insightful)

      by v1 (525388) on Sunday April 16 2006, @12:27PM (#15138378) Homepage Journal
      Windows security is as effective as a screen door on a submarine.

      It'd take the malware makers about an hour to find any of the what, probably 80 holes that would let them go around such windows security. A back-and-forth battle like that could easily go on for months if not years. In unix, security and permissions are the foundation, on top of which everything is built. In windows, security is a hack that was added on later with no due consideration during the initial design phase of windows. It's no wonder it's next to impossible to get it to work the way you want it to.

      When you are designing security, the sad truth of it is, the user is the enemy. There's no nicer way to look at it. So it takes a great deal of care to design a security system that can withstand the assult of a user while at the same time being functional and serving the user. It's too late for windows to make those design considerations. They have errored on the side of functionality and sacrificed the security of the system. There is no fixing that.

    • Re:Permissions? (Score:5, Insightful)

      by saleenS281 (859657) on Sunday April 16 2006, @12:54PM (#15138524) Homepage
      funny, I see write access by root there. And last I checked, when malware *owns* windows, it's local root, which means the permissions you speak of would amount to absolutely nothing... And btw, you can make it read only to normal users, but again, this would accomplish nothing.

      • Re:Permissions? (Score:5, Insightful)

        by tomstdenis (446163) <tomstdenis@@@gmail...com> on Sunday April 16 2006, @12:26PM (#15138377) Homepage
        Yes, but the motivation to ignore the hosts file is because of viruses that could overwrite it.

        So ... if a user level virus couldn't write to the host file ...

        Think about it.

        Tom

        • Re:Permissions? (Score:5, Insightful)

          by secolactico (519805) on Sunday April 16 2006, @12:41PM (#15138461) Journal
          So ... if a user level virus couldn't write to the host file ...

          Which leads us back to the primordial Windows security problem: users running with admin priviledges.

          In the example you provided in the previous post, /etc/hosts is writable only by root. If user runs as root all the time, then it's back to square one.

          As far as I know Windows host file is only writable by Administrator level (dunno, I don't have a Windows machine with me right now). Is it otherwise?

        • Re:Permissions? (Score:5, Funny)

          by Homology (639438) on Sunday April 16 2006, @12:57PM (#15138534)
          So ... if a user level virus couldn't write to the host file ...

          Think about it.

          Dear Tom,
          this is Slashdot and the term "think" does not apply.

  • Potentially unfair... (Score:5, Insightful)

    by Maul (83993) on Sunday April 16 2006, @12:22PM (#15138351) Journal
    The main problem is not that you can't block MS addresses, it is that MS is only preventing their addresses from being blocked. Since they are now getting into the security business, this gives them what could be seen as an unfair advantage.

    Let us say that Joe User gets a piece of Malware, so he decides to visit a security company to find a solution to his problem. However, the malware has modified his hosts file to block security company web pages from being accessed, which is extremely typical. Joe User is not experienced enough to even know there is a hosts file that he could change back.

    Joe User's first attempt would likely be to norton.com, symantec.com (both go to Symantec's main page), or mcafee.com, since these names are pretty much synonymous with antivirus software. However, all of those are blocked and he can't access them.

    However, if he goes to microsoft.com, he can go there since the hosts file is subverted in the OS. Since he can't spend the time to figure out why he can't access the others, he purchases Microsoft's AV solution.

  • Yet Another Band-Aid? (Score:5, Insightful)

    by displaced80 (660282) on Sunday April 16 2006, @12:23PM (#15138360)
    Hmm. This seems a bit ass-backwards to me.

    Rather than having to ignore the HOSTS file because it may be malicious, shouldn't the solution be to prevent HOSTS from getting mangled in the first place?

    (oh, and on an unrelated note: why on earth is the Win32 HOSTS file buried away under C:\Windows\System32\Drivers\etc\? I mean.... 'drivers'?!!? Bizarre.

  • Route to null (Score:5, Informative)

    by PlusFiveTroll (754249) on Sunday April 16 2006, @12:32PM (#15138406) Homepage
    If the adware can change your hosts file then this is pretty useless anyway. Now all the software has to do is run a script that does the following

    nslookup whatever.microsofts.domains
    takes the list of return addresses and
    route ADD destination MASK mask INVALID INVALID INVALID foreach

    and your traffic to MS wont even leave the network card.

  • Interference with my sig! (Score:4, Funny)

    by Teun (17872) on Sunday April 16 2006, @12:32PM (#15138410) Homepage
    How nasty of MS to interfere with my sig!
    Now I'll have to include a disclaimer...

    Just another reason to continue using a more robust system :)

    • Monopolies (Score:5, Insightful)

      by Tony (765) on Sunday April 16 2006, @12:46PM (#15138489) Homepage Journal
      A court of law has determined that Microsoft is a monopoly. One of the anti-trust regulations specifies that you cannot use your monopoly power to force your way into another market; that was the heart of the conviction against Microsoft in the Netscape case. Microsoft used their monopoly to oust Netscape as the dominant browser by bundling, which is illegal.

      Now they are using that same monopoly power to take over the anti-malware market.

      I'm rather ambivilent about this. On one hand, it is just one more case of Microsoft waiting for a market to mature, then forcing their way into it. On the other hand, this market wouldn't exist if it wasn't for their own shoddy products, so it's really Microsoft's reponsibility to fix it. However, malware protection software isn't the correct answer, it's just the most expedient, with a potential for additional profit.

      All-in-all, it's just Microsoft's usual game: own the system, rig the system, use that to take over another system. Keep secrets, and act all coy when your secrets are discovered.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.