Not what you were looking for? Ask our experts!
Reply
Visitor
bullhorn
Posts: 6
Registered: ‎08-28-2008

Update sites or spyware scams.

My norton internet security asked my permission to remove host file entries 'tc.symantec.com' and 'om.symantec.com'

 

as it needs those sites to update........It seems going by other sources that these sites are spyware sites...has Norton got it wrong?

 

seems to be some confusion of information......I wonder if Norton would clarify?

 

 

Quote

 

These are sites used by Norton internet security to update"
Not really ... they just want you to think that ...

Symantec detects a possible malicious entry in the HOSTS file
http://msmvps.com/blogs/hostsnews/archive/2007/08/08/symantec-detects-a-possible-malicious-entry-in-...
[or]
Why does Symantec (Norton 2007) detect a possible malicious entry in the
HOSTS file?
http://www.mvps.org/winhelp2002/hostsfaq.htm#Norton_2007
[or]
Symantec detects suspicious entries in the MVPS HOSTS file
http://msmvps.com/blogs/hostsnews/archive/2007/11/14/1309806.aspx
[or]
http://www.mvps.org/winhelp2002/hostsfaq.htm#Norton_360

 

                                                                   anyone with any information?   bullhorn

Regular Contributor
4runner
Posts: 98
Registered: ‎06-20-2008

Re: Update sites or spyware scams.

[ Edited ]

I did not read in detail the links you provided, so this may not directly answer your question, but it may help you understand what is happening here.

 

When you tell your internet browser to go to www.google.com one of the first things that has to happen is that your computer has to turn that nice address for google.com into an IP address. An IP address looks like this: 74.125.XX.XX (which is one choice for google).

 

So how does your computer translate www.google.com to a number? It uses DNS (Domain Name Service) to lookup the IP address, much like you would lookup a phone number in a phone book. You type google and your computer 'lookups' the number for google (and google is big enough that it has more than one 'number' that might be found--but that issue isn't relevant here:smileywink:). DNS servers for most home users are usually provided by your ISP, and anymore the whole process is really quite transparent to the end user.

 

Thats the simple version of the explaination. Now to expand on that without getting really to technical, for the sake of speed and minimizing network traffic your comuter has a variety of places it may 'look first' for the number before consulting the DNS server.

 

  • First off a check in a local address cache, this is a place that holds recently 'looked up' IPs. If we just looked up google recently and we need it again now, its faster if we can find it on our own internal 'scratchpad' than asking the DNS server for it.
  • Next the computer will check the HOSTS file. The HOSTS file isn't actually used in practice much anymore. But it's still there, and still checked as part of the process. If a domain name is listed with and address here, the computer will use that address to contact the domain.
  • What happens next is dependent on your configuration, but in most home user cases is a query to the DNS server provided by your ISP.

 

So in your case what has happened is that a piece of malware has modified your HOSTS file to include entries for 'tc.symantec.com' and 'om.symantec.com'. I don't know what those specific sub-domains are for but if I had to guess I would bet they are related to liveupdate and/or virus definitions. Whats happening here is that when liveupdate runs instead of your computer being properly routed to valid symantec servers, it gets re-directed to talk to the 'wrong number'. The computer that answers at the 'wrong number' tho can lie and say hello i'm symantec and then download false or empty virus definitions, and or more malware.

 

The prompt by NIS telling you it wants to remove these entries from HOSTS is a tamper protection. NIS says 'hey i'm about to update, let me check and make sure I think I'm going to get to the correct server to get my update' So it performs some tests and says 'oops, there is something in the HOSTS file thats going to prevent me from getting to the correct server'. So NIS then asks your permission to remove these entries before it updates.

 

 

[mod note: Broke IP address (even tho it is google and most likely alwasy will be).]

Message Edited by Allen_K on 08-29-2008 05:12 PM
Visitor
bullhorn
Posts: 6
Registered: ‎08-28-2008

Re: Update sites or spyware scams.

Why can i not find this message in the listings for 28-8-08 entries
Visitor
bullhorn
Posts: 6
Registered: ‎08-28-2008

Re: Update sites or spyware scams.

Further added, the links if read suggest links to DNS hijackers and advert vendors
Moderator
Allen_K
Posts: 1,364
Registered: ‎04-09-2008

Re: Update sites or spyware scams.


bullhorn wrote:
Why can i not find this message in the listings for 28-8-08 entries

The threads in the board listings are ordered by the most recent post.  This is the common protocol found on internet forums, new content on top. 

 

To always be able to locate your own threads, click your posting name 2 lines above the search box in the upper left section of the screen.  On the page that loads you can see your 5 most recent postings, underneath which is a link to view all your prior posts.

Allen
Visitor
bullhorn
Posts: 6
Registered: ‎08-28-2008

Re: Update sites or spyware scams.

Allen_K  thanks for the info
Super Spam Squasher
mo
Posts: 1,706
Registered: ‎08-18-2008

Re: Update sites or spyware scams.

i have seen these in my net connections log on and off,but nis has not asked me about them.is this the same as above?should i worry or not?thanks

mo

Cheers Mo
XP home,SP3
NIS2012
Regular Contributor
4runner
Posts: 98
Registered: ‎06-20-2008

Re: Update sites or spyware scams.


bullhorn wrote:
Further added, the links if read suggest links to DNS hijackers and advert vendors

 

yea if you read my earlier post that essentially what i explained... malware uses your HOSTS file to at the very least prevent liveupdate from working.

 


mo wrote:

i have seen these in my net connections log on and off,but nis has not asked me about them.is this the same as above?should i worry or not?thanks

mo


 

probably don't need to worry... they should appear in the logs.   In bullhorns case he had some malware that was attempting to redirect or hijack how his norton installed software phoned home for updates...  You can check your HOSTS file if you want...just open it in notepad... remember that for any line that starts with a # the rest of the line is ignored or considered a comment.   The single normal entry to have point localhost to 127.0.0.1   if you have anything else (on lines that DON'T start with a #) post it for comment.

Visitor
bullhorn
Posts: 6
Registered: ‎08-28-2008

Re: Update sites or spyware scams.

quote from [color=red]4runner[/color]

 

[quote]The prompt by NIS telling you it wants to remove these entries from HOSTS is a tamper protection. NIS says 'hey i'm about to update, let me check and make sure I think I'm going to get to the correct server to get my update' So it performs some tests and says 'oops, there is something in the HOSTS file thats going to prevent me from getting to the correct server'. So NIS then asks your permission to remove these entries before it updates[/quote]

 

No, I'm afraid you've got that the wrong way around a screen came up over Norton protectection centre screen warning that Norton

could not proceed to update unless it removed two sites from my host file, these sites were already routed to 127.0.0.1

so the prompt asked me if it could remove them.....a yes or no screen...I selected yes and then made inquiries with host sites

in other words it was a [u]no go place[/u] ..When removed it was a go place.  I discovered later that my Google had a lot of guff added to it in the way of adverts........this is DNS hijacking by way of browser cookies....I had to clear my DNS cache to get rid of them

 

You are twisting what I had originally stated in my first post.

 

I intend to take screen shots if it occurs again and will post them here as evidence if possible..........bullhorn.

 

ps. i dont know if BBcode is enable on this board as there is no review option.

 

Regular Contributor
4runner
Posts: 98
Registered: ‎06-20-2008

Re: Update sites or spyware scams.


bullhorn wrote:

'tc.symantec.com' and 'om.symantec.com'


Ok... so those two domains were pointed at 127.0.0.1 (also known as localhost)

 

so that means

 

any requests being made by software (liveupdate) to those two domains will be redirected back to your own computer (and the requests are most likely blocked at the firewall as requests to an unknown port -- after all your computer isn't a symantec server is it?  so why would it be set up to do anythiing but disregard requests like that.)

 

at anyrate.. NIS found the tamper, and told you it had to remove it to phone home (which it did, because your computer was told to ask itself)

 

 


Page 2:  The Hosts file can also be used in another way... and that is to redirect you to fake / ad / malicious sites...  Thats the direction this thread was headed in... sorry for the confusion... things became clear when you mentioned 127.0.0.1

 


you can use the toolbar above the message editor window... or you can click 'edit as html' and use your on HTML. (not all HTML is supported)