topic Re: Update sites or spyware scams. in Norton Internet Security / Norton AntiVirus

Update sites or spyware scams.

bullhorn — Thu, 28 Aug 2008 23:49:45 GMT

My norton internet security asked my permission to remove host file entries 'tc.symantec.com' and 'om.symantec.com'

as it needs those sites to update........It seems going by other sources that these sites are spyware sites...has Norton got it wrong?

seems to be some confusion of information......I wonder if Norton would clarify?

Quote

These are sites used by Norton internet security to update"
Not really ... they just want you to think that ...

Symantec detects a possible malicious entry in the HOSTS file
http://msmvps.com/blogs/hostsnews/archive/2007/08/08/symantec-detects-a-possible-malicious-entry-in-the-hosts-file.aspx
[or]
Why does Symantec (Norton 2007) detect a possible malicious entry in the
HOSTS file?
http://www.mvps.org/winhelp2002/hostsfaq.htm#Norton_2007
[or]
Symantec detects suspicious entries in the MVPS HOSTS file
http://msmvps.com/blogs/hostsnews/archive/2007/11/14/1309806.aspx
[or]
http://www.mvps.org/winhelp2002/hostsfaq.htm#Norton_360

anyone with any information? bullhorn

Re: Update sites or spyware scams.

4runner — Fri, 29 Aug 2008 22:12:08 GMT

I did not read in detail the links you provided, so this may not directly answer your question, but it may help you understand what is happening here.

When you tell your internet browser to go to www.google.com one of the first things that has to happen is that your computer has to turn that nice address for google.com into an IP address. An IP address looks like this: 74.125.XX.XX (which is one choice for google).

So how does your computer translate www.google.com to a number? It uses DNS (Domain Name Service) to lookup the IP address, much like you would lookup a phone number in a phone book. You type google and your computer 'lookups' the number for google (and google is big enough that it has more than one 'number' that might be found--but that issue isn't relevant here:smileywink:). DNS servers for most home users are usually provided by your ISP, and anymore the whole process is really quite transparent to the end user.

Thats the simple version of the explaination. Now to expand on that without getting really to technical, for the sake of speed and minimizing network traffic your comuter has a variety of places it may 'look first' for the number before consulting the DNS server.

First off a check in a local address cache, this is a place that holds recently 'looked up' IPs. If we just looked up google recently and we need it again now, its faster if we can find it on our own internal 'scratchpad' than asking the DNS server for it.
Next the computer will check the HOSTS file. The HOSTS file isn't actually used in practice much anymore. But it's still there, and still checked as part of the process. If a domain name is listed with and address here, the computer will use that address to contact the domain.
What happens next is dependent on your configuration, but in most home user cases is a query to the DNS server provided by your ISP.

So in your case what has happened is that a piece of malware has modified your HOSTS file to include entries for 'tc.symantec.com' and 'om.symantec.com'. I don't know what those specific sub-domains are for but if I had to guess I would bet they are related to liveupdate and/or virus definitions. Whats happening here is that when liveupdate runs instead of your computer being properly routed to valid symantec servers, it gets re-directed to talk to the 'wrong number'. The computer that answers at the 'wrong number' tho can lie and say hello i'm symantec and then download false or empty virus definitions, and or more malware.

The prompt by NIS telling you it wants to remove these entries from HOSTS is a tamper protection. NIS says 'hey i'm about to update, let me check and make sure I think I'm going to get to the correct server to get my update' So it performs some tests and says 'oops, there is something in the HOSTS file thats going to prevent me from getting to the correct server'. So NIS then asks your permission to remove these entries before it updates.

[mod note: Broke IP address (even tho it is google and most likely alwasy will be).]

Message Edited by Allen_K on 08-29-2008 05:12 PM

Re: Update sites or spyware scams.

bullhorn — Fri, 29 Aug 2008 18:12:03 GMT

Why can i not find this message in the listings for 28-8-08 entries

Re: Update sites or spyware scams.

bullhorn — Fri, 29 Aug 2008 18:23:21 GMT

Further added, the links if read suggest links to DNS hijackers and advert vendors

Re: Update sites or spyware scams.

Allen_K — Fri, 29 Aug 2008 18:36:27 GMT

bullhorn wrote:
Why can i not find this message in the listings for 28-8-08 entries

The threads in the board listings are ordered by the most recent post. This is the common protocol found on internet forums, new content on top.

To always be able to locate your own threads, click your posting name 2 lines above the search box in the upper left section of the screen. On the page that loads you can see your 5 most recent postings, underneath which is a link to view all your prior posts.

Re: Update sites or spyware scams.

bullhorn — Fri, 29 Aug 2008 21:23:17 GMT

Allen_K thanks for the info

Re: Update sites or spyware scams.

mo — Sat, 30 Aug 2008 06:24:06 GMT

i have seen these in my net connections log on and off,but nis has not asked me about them.is this the same as above?should i worry or not?thanks

Re: Update sites or spyware scams.

4runner — Sat, 30 Aug 2008 14:32:44 GMT

bullhorn wrote:
Further added, the links if read suggest links to DNS hijackers and advert vendors

yea if you read my earlier post that essentially what i explained... malware uses your HOSTS file to at the very least prevent liveupdate from working.

mo wrote:
i have seen these in my net connections log on and off,but nis has not asked me about them.is this the same as above?should i worry or not?thanks
mo

probably don't need to worry... they should appear in the logs. In bullhorns case he had some malware that was attempting to redirect or hijack how his norton installed software phoned home for updates... You can check your HOSTS file if you want...just open it in notepad... remember that for any line that starts with a # the rest of the line is ignored or considered a comment. The single normal entry to have point localhost to 127.0.0.1 if you have anything else (on lines that DON'T start with a #) post it for comment.

Re: Update sites or spyware scams.

bullhorn — Sat, 30 Aug 2008 16:08:18 GMT

quote from [color=red]4runner[/color]

[quote]The prompt by NIS telling you it wants to remove these entries from HOSTS is a tamper protection. NIS says 'hey i'm about to update, let me check and make sure I think I'm going to get to the correct server to get my update' So it performs some tests and says 'oops, there is something in the HOSTS file thats going to prevent me from getting to the correct server'. So NIS then asks your permission to remove these entries before it updates[/quote]

No, I'm afraid you've got that the wrong way around a screen came up over Norton protectection centre screen warning that Norton

could not proceed to update unless it removed two sites from my host file, these sites were already routed to 127.0.0.1

so the prompt asked me if it could remove them.....a yes or no screen...I selected yes and then made inquiries with host sites

in other words it was a [u]no go place[/u] ..When removed it was a go place. I discovered later that my Google had a lot of guff added to it in the way of adverts........this is DNS hijacking by way of browser cookies....I had to clear my DNS cache to get rid of them

You are twisting what I had originally stated in my first post.

I intend to take screen shots if it occurs again and will post them here as evidence if possible..........bullhorn.

ps. i dont know if BBcode is enable on this board as there is no review option.

Re: Update sites or spyware scams.

4runner — Sat, 30 Aug 2008 21:34:39 GMT

bullhorn wrote:
'tc.symantec.com' and 'om.symantec.com'

Ok... so those two domains were pointed at 127.0.0.1 (also known as localhost)

so that means

any requests being made by software (liveupdate) to those two domains will be redirected back to your own computer (and the requests are most likely blocked at the firewall as requests to an unknown port -- after all your computer isn't a symantec server is it? so why would it be set up to do anythiing but disregard requests like that.)

at anyrate.. NIS found the tamper, and told you it had to remove it to phone home (which it did, because your computer was told to ask itself)

Page 2: The Hosts file can also be used in another way... and that is to redirect you to fake / ad / malicious sites... Thats the direction this thread was headed in... sorry for the confusion... things became clear when you mentioned 127.0.0.1

you can use the toolbar above the message editor window... or you can click 'edit as html' and use your on HTML. (not all HTML is supported)

Re: Update sites or spyware scams.

mo — Mon, 01 Sep 2008 11:44:08 GMT

Thanks 4runner

I started another thread and got my answer by a Symantec employee,totally different from bullhorns problem.Appreciate your reply to my inquiry.

regards mo

Re: Update sites or spyware scams.

bullhorn — Sat, 20 Sep 2008 23:29:46 GMT

Yes, well now it's happened again!

Shot at 2008-09-20

although this time it had a muliple choice box, and a 'Backdoor.tidserv' virus was soon thereafter reported

by Norton anti-virus ..............which required manual removal

so the question still remains what have these two update sites got to do with norton update?..........bullhorn

[edit: added screenshot to post]

Message Edited by Tony_Weiss on 09-20-2008 07:29 PM