By: Mike Healan
July 7, 2003

A posting on SpywareInfo's antispyware developer's mailing list caught my eye recently. It seems that the latest version of KaZaA is tampering with a Windows system file.

The HOSTS file is the first place Windows goes to look up the IP address of a remote server that your computer wants to connect to, such as a web site or a gaming server. If it is not listed in the HOSTS file, then it will send a request to your ISP's DNS servers to look up the IP address of the server.

A common trick is to use the HOSTS file to make Windows think that a dedicated advertising server is located at the IP address 127.0.0.1. That is the internal IP address of your own computer. When something wants to contact the advertiser's web server to load an ad, Windows believes that the server is located on your own machine, the real server is never contacted, and the ad is never loaded.

As of the latest version (2.5) of KaZaA, if certain entries are present in the HOSTS file, KaZaA will not load. Instead KaZaA pops up the following notice:

The "More Info" button leads to http://www.certifiedkazaa.com/certified.htm, which has this to say:

When KaZaA Media Desktop runs, if we detect some known changes that non-certified products make to your system, we will inform you that we have detected this and ask that you make some changes before running KaZaA.

• Simple: If it is a simple change then we will offer to fix the problem for you automatically. An example of this is when your 'HOSTS' file has been changed to prevent your computer reaching KaZaA.com or one of the other important domains that are required for KaZaA to function correctly. In this case we will comment the problem entries if you agree to let us fix the problem. If not, you will need to close KaZaA.

If you click the "Fix and Continue" button, KaZaA will alter the HOSTS files by disabling any entries relating to web sites owned by Sharman Networks or by their sponsors.

After some testing, I found that if the NTFS security settings are changed to restrict read access to the c:\windows\system32\drivers\etc\ folder by users (see next picture), KaZaA is unable to read this system file or tamper with it. It will still load however, although, for some reason, it takes about 20 seconds (on my system) to load.

If you are using Windows 2000 Pro or Server with the NTFS file system, you can simply right-click the folder while logged in as an administrator, select properties, and then click the security tab. Click the box to deny "Read" permissions and click OK. (screenshot)

If you are using Windows XP Pro with the NTFS file system, Microsoft hides these options from you by default. You will need to turn off "Simple File Sharing" from Control Panel > Folder Options > View before you can access the settings. I don't know whether XP Home allows access to these security options or not.

If you are using Windows 95, 98, or ME, or are using 2000 or XP with the FAT32 file system, then I'm afraid that you are out of luck. These security features do not exist on the FAT32 file system.

If you are not sure whether you are using NTFS or FAT32, open your My Computer folder, right-click on your hard drive icon, and select properties and your type of file system will be listed. (screenshot)

For those wondering about my publicly-stated opposition to hacking the spyware out of KaZaA and other file sharing programs, that has no bearing on this. I have reviewed KaZaA's license and it makes no mention of altering Windows system or network files, and it does not mention the HOSTS file or anything related to it in any form.

It is my opinion that KaZaA crosses the line to become malware by making unauthorized alterations to Windows network files. The instructions above will prevent these alterations if you are using the NTFS file system.

My recommendation is that KaZaA should not be used. There are several file sharing programs that do not include spyware and other unwanted advertising parasites. There are also music services becoming available that allow consumers to purchase, download, burn, and copy music files for reasonable amounts of money.

This article is located at http://www.spywareinfo.com/articles/kazaa/

Links:

http://accs-net.com/hosts/ More information about HOSTS file usage
http://www.spywareinfo.com/articles/p2p/ List of spyware-infected and spyware-clean file sharing programs