Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Wed, 19 Apr 2006 20:54:46 -0700

I agree that there should have been better documentation of this, but I
think the noted objections are a bit hyperbolic.

While I don't disagree with what you said, I think there are some things you
didn't consider.

First, why is anything besides what is required for windows update being
bypassed? Why MSN.COM? Why NOT Symantec.com? I mean this looks more like a
way to keep passport functional than as a way to foil trojans.

Because, as many users choose to use MSN as their portal to the internet via
the MSN browser included in many OEM installations (just like many use AOL.)
Many people log on to email, passport, music purchases, etc via portal on
MSN and MSDN.  It is to keep hosts file entries from taking users to
phishing sites where they may enter credentials that could be stolen.

It's not Microsoft's job to protect Symantec customers.  That's Symantec's
job.  Microsoft is not in control of Symantec assets or hostnames.  They are
in control of Microsoft's assets and hostnames.  It would make no sense to
build in host list exceptions for hostnames you have no control over.  And
we both know that if they DID include other exceptions for assets that they
did not control that everyone with cry foul over that as well, because it's
Second, why is it that it's darn near impossible to screw with media player
or Messenger (both are protected by Windows file protection) yet hosts file
changes don't even popup a dialog box to ask the user if the change is ok? I
mean this is a really sneaky way of "fixing" things. Also before you say WFP
or a popup could be disabled by a trojan, so could this fix.

Because "hosts" is a simple text file that is designed to be edited and
maintained by the administrator of the machine.  It's supposed to change.
Wmplayer.exe automatically replaces itself with an authoritative cached copy
to ensure that it is not Trojaned.  It's a good thing.  And so what if a
Trojan could disable it (even though dnsapi.dll is also protected)?? Let
it-- but make it have to do it - more for it to do.  A kernel mode rootkit
could disable everything it wanted to - why not just give up and turn off
your machine?  

This is really simple.  MyDoom altered the hosts file so people couldn't hit
go.microsoft.com, so they added an exception list for their sites.  The
reason it wasn't documented was so that malware authors wouldn't know to
bypass it, but now some do.  Oh well, worked for a while.

Third, this appears to me to be just more half witted fixes imo. The problem
is a trojan modifying hosts then fix the problem instead of ignoring hosts.
Provide a locking mechanism for hosts, remove the trojan, there are a
hundred ways to fix this that are far more proper ways to do things than

They do.  There is more information on how to secure a Windows box than
anything else out there.  They give you free malware removal tools.  They'll
be giving you free AV.  They DO all these things, yet people continue to
open .exe's in email attachments.  It's defense in depth.  It's good.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]