Help!

Host resolution priority -> vulnerable to malware tampering?

  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> General Discussions RSS
Next:  Google hijack virus - help 3  
Author Message
Virus Guy
External


Since: Aug 05, 2005
Posts: 452
PostPosted: Sun Dec 13, 2009 9:17 am    Post subject: Host resolution priority -> vulnerable to malware tampering?
Archived from groups: microsoft>public>security>virus, others (more info?)
I wasn't aware that you could set the priority for host resolution.

http://www.speedguide.net/read_articles.php?id=1130

Could this mean that with the right settings, that the hosts file could
be essentially deactivated by setting it to a very low priority and
setting DnsPriority to a high priority?

If so, does any anti-malware software examine those registry settings
and look for malicious tampering?
Back to top
David H. Lipman
External


Since: Jul 04, 2003
Posts: 2245
PostPosted: Sun Dec 13, 2009 9:30 am    Post subject: Re: Host resolution priority -> vulnerable to malware tampering? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
From: "Virus Guy"

| I wasn't aware that you could set the priority for host resolution.

| http://www.speedguide.net/read_articles.php?id=1130

| Could this mean that with the right settings, that the hosts file could
| be essentially deactivated by setting it to a very low priority and
| setting DnsPriority to a high priority?

| If so, does any anti-malware software examine those registry settings
| and look for malicious tampering?

No, it wouldn't deactivate the resolution via the etc/hosts file.

The information cited is really for changing the resolution sequence depending on your
situation. For example is you are in a workgroup or Domain and how the OS reacts to such
named hosts as...

\\machinename

http://hostname

With this one may choose the etc/hosts to have a lower number than the other resolution
methods but I don't think it will disable it altogether.

If one wants to do that, it is much better to just redirect the location of the etc/hosts
file via the "DataBasePath" key in..
HLKM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Back to top
Virus Guy
External


Since: Aug 05, 2005
Posts: 452
PostPosted: Sun Dec 13, 2009 9:42 am    Post subject: Re: Host resolution priority -> vulnerable to malware tampering? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
"David H. Lipman" wrote:

> | Could this mean that with the right settings, that the hosts
> | file could be essentially deactivated
>
> No, it wouldn't deactivate the resolution via the etc/hosts file.
>
> The information cited is really for changing the resolution sequence
> depending on your situation.

Seems to me that these settings are for setting the priority of those
services with respect to other services running on the machine.

If they also set the sequence or order of which method is used to
perform a host resolution, then setting the local hosts value to the
highest numerical value out of the 4 of them would mean that the hosts
file would always be the last to be queried - which would effectively
deactivate it as resolution method. No?
Back to top
David H. Lipman
External


Since: Jul 04, 2003
Posts: 2245
PostPosted: Sun Dec 13, 2009 1:14 pm    Post subject: Re: Host resolution priority -> vulnerable to malware tampering? [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
From: "Virus Guy"

| "David H. Lipman" wrote:

>> | Could this mean that with the right settings, that the hosts
>> | file could be essentially deactivated

>> No, it wouldn't deactivate the resolution via the etc/hosts file.

>> The information cited is really for changing the resolution sequence
>> depending on your situation.

| Seems to me that these settings are for setting the priority of those
| services with respect to other services running on the machine.

| If they also set the sequence or order of which method is used to
| perform a host resolution, then setting the local hosts value to the
| highest numerical value out of the 4 of them would mean that the hosts
| file would always be the last to be queried - which would effectively
| deactivate it as resolution method. No?

OK, rethinking this...

It would "deactivate" it. However if a DNS resoltion to a malicious site is first and you
are affectively getting that address then the etc/hosts file redirection to the IP
responder address would be a moot point.

Deactived - no.

Inffectual - yes.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> General Discussions All times are: Eastern Time (US & Canada)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum