Results 1 to 9 of 9
  1. #1

    can programs bypass Windows' "hosts" file?

    I have a software here that like to phone home every so often. Before you say anything, this is a licensed software that has been paid for.

    Uing tcpview (from sysinternal), I found the software is calling home. I just do not like the fact that it needs to call home now and then and I do not know what data (if any) is passed on to the vendor.

    so I added the domain to my hosts file. This is the entry I created:

    127.0.0.1 domain-here.com.

    If I view domain-here.com using a browser, I get an error message which is correct since I do not have a webserver running in localhost.

    BUT it seems the offending program is still able to call home. Somehow it is able to bypass my hosts file. In TcpView, the program is using the domain to call home and not its IP.

    any ideas (other than install a firewall and blocking the offending domain) on how to prevent the program from calling home?

    thank you very much

  2. #2
    Likes Popcorn petteyg359's Avatar
    Join Date
    Jul 2004
    Location
    Texas
    Folding Profile SETI Profile Heatware Profile
    ipconfig /flushdns

    And how do you domain-here.com in IE is going to 127.0.0.1? Did you check that in your tcpview? The "phone" may be going to a different port, and domain-here.com may not be running on port 80.
    ASRock 990FX Extreme9 - FX-8350 - 32GiB 1600 Crucial low-profile 1.35v - 7970 3GiB - 8.1 Pro x64 / Gentoo amd64 - AX760
    Dell XPS 15 L502x - i7 2760QM - 16GiB 1600 - GT 540M 2GiB - 7 Pro x64 / Gentoo amd64 - Agility 4 512GB

    [GB ≠ GiB] [MB ≠ MiB] [kB ≠ kiB] [1000 ≠ 1024] [Giga ≠ gram] [Mega ≠ milli] [Kelvin ≠ kilo] [Byte ≠ bit]
    "Apparently, Plaintiff believes that he could sue an egg company for fraud for labeling a carton of 12 eggs a “dozen,” because some bakers would view a “dozen” as including 13 items." - Western Digital 2006
    Folding User Stats

  3. #3
    Member CGR's Avatar
    10 Year Badge
    Join Date
    Jan 2001
    Location
    Lower NY
    Does the software have an auto update application? May just be checking for updates periodically.
    Main System:.................................................. ......................Second System:
    DFI BloodIron P35-T2RL w/ Q6600 GO@ 3.2 (9x360), 1.4v....DFI Ultra-D w/Opteron 170 @ 2.7
    G.skill 4GB (2x2gb).................................................. ..............G.Skill Extreme 2GB (2x1gb)
    HIS 4850 680/1108.................................................. .............Nvidia 7600GT
    WD VRaptor 300gb/Seagate 1TB..........................................Raptor 74gb/Seagate 200gb
    OCZ GameXtreme 600SLI


  4. #4
    Member
    Join Date
    Mar 2005
    Location
    Spokane...
    Programs don't need to use the hosts file. The hosts file was just a list of names and IP addresses that has been replaced by DNS. The way that I stop programs from accessing the Internet is to use a firewall. Zone Alarm in my case. I'm guessing that other firewalls have the same ability.

  5. #5
    Member ShadowPho's Avatar
    Join Date
    Jun 2005
    Location
    I am in your stack, SUBbing your registers!
    Heatware Profile
    127.0.0.1 domain-here.com.
    replace with 127.0.0.1 their-ip.com

    And programs don't use hosts file per say. Widnows uses the hosts file to see if it needs to redirect the request somewhere.
    "Take only that which you can give"
    Need Help? IM me! I want to help the OC community!

    MainComputer:
    E6400@2.69-4.0 gig RAM-8800GT
    ASUS P5N-E SLI


  6. #6
    Likes Popcorn petteyg359's Avatar
    Join Date
    Jul 2004
    Location
    Texas
    Folding Profile SETI Profile Heatware Profile
    Quote Originally Posted by mortimer View Post
    Programs don't need to use the hosts file. The hosts file was just a list of names and IP addresses that has been replaced by DNS. The way that I stop programs from accessing the Internet is to use a firewall. Zone Alarm in my case. I'm guessing that other firewalls have the same ability.
    Any program needing network access must communicate with the OS network stack. The network stack will communicate with the IP it is given, or if it is given a domain name, will check the local hosts file (whether Windows or other operating system), and only if the name is not found in the hosts file will it check remote DNS servers. Of course it will check cached entries first, hence using ipconfig /flushdns to make sure that it will look in the hosts file. A very easy way to block any program is PeerGuardian. Much less resource-intensive than ZoneAlarm, and does basically the same thing, filters incoming/outgoing connection based on IP. Just make a list of IPs the program is calling, add them to a PG2 list, and enable it as a block list.
    ASRock 990FX Extreme9 - FX-8350 - 32GiB 1600 Crucial low-profile 1.35v - 7970 3GiB - 8.1 Pro x64 / Gentoo amd64 - AX760
    Dell XPS 15 L502x - i7 2760QM - 16GiB 1600 - GT 540M 2GiB - 7 Pro x64 / Gentoo amd64 - Agility 4 512GB

    [GB ≠ GiB] [MB ≠ MiB] [kB ≠ kiB] [1000 ≠ 1024] [Giga ≠ gram] [Mega ≠ milli] [Kelvin ≠ kilo] [Byte ≠ bit]
    "Apparently, Plaintiff believes that he could sue an egg company for fraud for labeling a carton of 12 eggs a “dozen,” because some bakers would view a “dozen” as including 13 items." - Western Digital 2006
    Folding User Stats

  7. #7
    Member
    Join Date
    Oct 2007
    Quote Originally Posted by jarthel View Post
    BUT it seems the offending program is still able to call home. Somehow it is able to bypass my hosts file. In TcpView, the program is using the domain to call home and not its IP.
    You cannot determine from tcpview how the program connects. tcpview will just try and resolve the remote ip to a hostname, if one has been configured.

    The program can resolve a name like everybody else, it can have the ip hardcoded, it can manually ask a dns server (bypassing the dns in windows, and therefor the hosts file), ...

  8. #8
    Likes Popcorn petteyg359's Avatar
    Join Date
    Jul 2004
    Location
    Texas
    Folding Profile SETI Profile Heatware Profile
    Quote Originally Posted by jarthel View Post
    I have a software here that like to phone home every so often. Before you say anything, this is a licensed software that has been paid for.
    Here, I must say something. The simple act of denying illegal use in the original post is rather suspicious... The fact that you won't tell us what this software is, or the domain it is attempting to connect to, is even more suspicious.

    We could probably help more if you'd tell us what software it is. If you can't do that, then most of us are left thinking you're using this forum for a purpose that is against the rules.
    ASRock 990FX Extreme9 - FX-8350 - 32GiB 1600 Crucial low-profile 1.35v - 7970 3GiB - 8.1 Pro x64 / Gentoo amd64 - AX760
    Dell XPS 15 L502x - i7 2760QM - 16GiB 1600 - GT 540M 2GiB - 7 Pro x64 / Gentoo amd64 - Agility 4 512GB

    [GB ≠ GiB] [MB ≠ MiB] [kB ≠ kiB] [1000 ≠ 1024] [Giga ≠ gram] [Mega ≠ milli] [Kelvin ≠ kilo] [Byte ≠ bit]
    "Apparently, Plaintiff believes that he could sue an egg company for fraud for labeling a carton of 12 eggs a “dozen,” because some bakers would view a “dozen” as including 13 items." - Western Digital 2006
    Folding User Stats

  9. #9
    Member =ACID RAIN='s Avatar
    Join Date
    May 2003
    Location
    Kingwood, TX
    Dude said he bought the software. It could be quicktime pro, or some legit (ha!) porn updater. Either way, he said he paid for it, so who cares about what the software is. Not like you can hack out a fix if it's not open source anyways LOL.

    Firewall it, if it somehow bypasses internal DNS/hosts entries.

    edit: Or make a dns server on your lan and make a manual entry with a bogus IP. I'd go with option A though.
    MY HEAT | Websense who? | Windows lockdown
    Mine: Q6600 . IP35 Pro . 8GB RAM . Velociraptor 150 . Win7 Enterprise
    Wife: E6600 . GA-G31M-ES2 . 4GB RAM . Buncha drives . WinXP Pro
    Domain Controller: E6600 . GA-G31M-S2L . 2GB RAM . 36GB Raptor . 2 x 1.5TB WD Green . 2008 R2
    HTPC: E6300 . P5B . 1GB RAM . 320GB . Win7 Enterprise
    Sandbox 1: Dell Optiplex GX270 SFF (new caps) . 1GB RAM . 120GB . FreeBSD 7.2
    Sandbox 2: 3800+ X2. K8N Neo4 (new caps) . 1GB RAM . 4 x 400GB RAID0 . 2008 R2 (WDS, WSUS)
    Sandbox 3: Opteron 146 . 768MB RAM . 120GB . 2008 R2 (headless, no video, remote only)
    Laptop: Vostro 1700 . 4GB RAM . Win7 Enterprise

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •