Spybot itself a security risk?

[Ouroboros]

I'm encountering a very odd problem, odd in that it is so obvious:

The HOSTS file is a strong security tool. That's why Spybot puts entries to dangerous websites into that file. Interestingly, however, when I myself add domains to my hosts file, Spybot (I hope I'm not pointing my finger at the wrong program, but I really don't think I am) takes it upon itself to delete my entries.

How big of a security risk is that?

I searched the help file for "hosts", but found no answers. Obviously I want Spybot to add dangerous sites to my hosts file, but I sure don't want it deleting them!

Can anyone shed some light on this for me? Searching the forums for similar problems didn't help because there are just way too many entries referencing the hosts file.

[spybotsandra]

Hello,

The immunization of Spybot - Search & Destroy adds sites to the restricted zones in order to block them. So the baddies won't get in.

Best regards
Sandra
Team Spybot

[md usa spybot fan]

Ouroboros:

There does appear to be a defect in the HOSTS file facility.

When Spybot inserts its list of entries into the HOSTS file it marks the beginning and the end of the HOSTS file entries it adds with comments as follows:

Code:

# Start of entries inserted by Spybot - Search & Destroy	
127.0.0.1	www.007guard.com
127.0.0.1	007guard.com
127.0.0.1	008i.com
127.0.0.1	www.008k.com
127.0.0.1	008k.com
…
…
…
# This list is Copyright 2000-2007 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy

If you removed Spybot's HOSTS file entries it removes the entries between the beginning and ending comments leaving the following:

Code:

# Start of entries inserted by Spybot - Search & Destroy	
# End of entries inserted by Spybot - Search & Destroy

During both the add and remove process, all other HOSTS file entries remain intact.

So far so good.

However, it appears that if Spybot is loaded when you make other changes to the HOSTS file and then either add or remove Spybot's HOSTS file entries, the other changes you made before Spybot's changes are ignored.

In other words it appears to me that Spybot reads the HOSTS file when it is loaded (SpybotSD.exe 1.5.1.18). If you make any changes to the HOSTS file and then use Spybot's HOSTS file facility (either via Immunize or Tools > Hosts file), the other changes you made are over written when Spybot saves the HOSTS file.

Does this scenario fit the circumstances of when you have noticed that Spybot is deleting other HOSTS file entries?

[PepiMK]

Not sure if that is in project tools, but I remember I fixed something about that for 1.5.2, since the cached hosts file even conflicted with immunization vs. advanced mode Hosts file list.
That's kind of an "eternal" problem: finding the proper trade-off between caching and reacting. Operations on a hosts file with a few thousands of entries would save some fractions of a second or even seconds if a cached version is used (since in cache, we can use an organization of the data different from the plaintext), but could lead to such problems. So 1.5.2 now reads the hosts file anew upon each immunization action.

[Ouroboros]

I'm sorry, but now I cannot reproduce the error. As I recall, what follows is what I did last night, multiple times, each time having my entries removed. But today, everything works as I would have expected. If they disappear again, I'll add information to the thread. Thanks for the help.

Does this scenario fit the circumstances of when you have noticed that Spybot is deleting other HOSTS file entries?

I'm not sure. Let me list a series of actions which reproduces the event of items disappearing from the hosts file (that is, which I expected to reproduce the error when I began this post, but which did not).

1) Spybot S&D resident is running

2) Resident protection is checked

3) Using windows explorer, open C:\WINDOWS\system32\drivers\etc

4) Right-click on hosts file, select properties, remove the "read only" check from its check box

5) Open the hosts file using notepad

6) Add new entries between the lines:
127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy

7) Save and close notepad
8) Change file permissions back to read only

9) Verify that the changes still remain

10) Open Spybot S&D, open the immunize section, click the Immunize button.

At this point, the hosts file time stamp changes, but the entries are still there (not the way I remember it from my multiple attempts at adding entries last night).

11) Undo immunization. Oddly, the entries remain, but so does this from Spybot:
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 hao123.com
127.0.0.1 www.hao123.com
# This list is Copyright 2000-2007 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy

12) Immunize again, this time it adds entries between:
# This list is Copyright 2000-2007 Safer Networking Limited
# End of entries inserted by Spybot - Search & Destroy

But my entries remain.

[md usa spybot fan]

PepiMK:

I reran my test using Spybot 1.5.2 Release Candidate 1 with the following patches applied:

• SpybotSD.exe-1.5.2.20-2008-01-10
• TeaTimer.exe-1.5.2.16-2008-01-10

I was unable to reproduce the problem I encountered when I ran my original test although I tried it several times. It appears that by reading the current HOSTS file rather than using the cached version of the HOSTS file has solved the problem.

Ouroboros:

Operations such as HOSTS file lookups would be very resource intensive if Windows reread the HOSTS file each time a lookup is required. Because of this Windows caches the content of the HOSTS file in memory and periodically updates the cached version of the HOSTS file from the actual content of the HOSTS file itself. In other words there is a delay between the time that a change to the HOSTS file are made and the cached version of the HOSTS file is updated.

Evidently, Spybot was using the cached version of the HOSTS file so that changes to HOSTS file that occurred immediately before the manipulation of the HOSTS file by Spybot may not have been recognized. This would account for your observation that there was a problem and then not being able to reproduce it. In other words it is just a timing thing.

Since the problem has been recognized and apparently addressed, the only thing that I can suggest to do until you update Spybot to its most resent releases is to wait a minute or so after making manual changes to the HOSTS file before altering the HOSTS file with either Spybot's immunization facility or Spybot's Tools > Hosts file facility.