I was going through the log files on my firewall server today when I saw something odd: my PC was trying to send outbound traffic on port 6667 every 30 seconds. At first I thought that this was for my IRC client, but it wasn’t. Instead, it’s a legacy of the “Sky by Broadband” service that I signed up for last year.
I used the Sky application to download one film on 12th March 2006. I haven’t run it since, and I reduced my channels in January so that I no longer get free access to their films. However, part of it has been running in the background ever since. This blog post provided an explanation: the application actually uses “peer to peer” technology rather than being client/server. I don’t remember reading anything about that when I installed it, and looking at the Sky website (now rebranded to “Sky Anytime”) they haven’t made it prominent.
Basically, apart from the front end application, there’s a service (kservice.exe) which is configured for automatic startup. In other words, every time you turn the PC on, this thing starts running in the background, with full local system privileges. As I mentioned, it’s literally trying to contact the Sky servers every 30 seconds, as per my logs:
(Click on that picture for a full screen view.)
Fortunately, ISA 2004 (running on my server) is blocking that traffic. However, the average ADSL router is configured to allow all outbound traffic by default (while blocking inbound traffic), so it would go through. Since I’m running Windows XP, I do have a local firewall too. However, the Sky installation program modified that to include some exceptions:
The first exception is for “Delivery Manager”:
The second exception is for “Delivery Manager Service”:
(Incidentally, both had full scope, i.e. they’d talk to anything on the internet rather than the Sky servers specifically.)
When I stopped the “KService” service on my desktop PC, ISA stopped reporting the relevant traffic, so that was definitely the culprit. Anyway, since I no longer need this program, time to uninstall it. This is a bit more long winded than is strictly necessary.
1. Remove the “Sky by Broadband” application, using “Add/Remove Programs” in Control Panel. This removes the front-end application, but leaves “KService” running.
2. Download the “kclean.exe” utility from the Sky website. Running this utility successfully removed the service and the program files/registry settings behind it.
3. Remove the “C:\Program Files\kservice” folder. It was pretty much empty, but the “downloads” subfolder contained the film I downloaded last year.
4. Remove the exceptions from the XP firewall. (They’re pretty much harmless at this point, without the corresponding files, but it’s still neater to get rid of them, and avoids any problems of rogue files exploiting that hole.)
This process does raise a few questions.
Firstly, if the installation program was able to make all of these changes, why couldn’t the uninstallation program undo them all? Item 3 on the kclean page says: “Because Kontiki is a Windows service, not an application, it can only be removed using KClean; Kontiki cannot be removed using the “Add/Remove Programs” Control Panel.” In my professional opinion, this is untrue. I am willing to accept that the Sky programmers don’t know how to do it, but other uninstallation programs manage this fine (e.g. SQL Server, Exchange). Frankly, if they can’t clean up their own mess, I don’t want their sloppy code on my machine.
Secondly, why was the video still on my machine (using up 640Mb on my hard drive), given that I could no longer watch it? According to item 6 on the kclean page: “Note that once your license to view these videos expires, the videos will be deleted automatically from your PC”. Clearly this didn’t happen. It may be that this is a function of the Sky front-end application (which I haven’t run since the licence expired), but the video was stored in the kservice application folder. That in itself is dodgy, since it breaks the rules about separating programs from data, but I’ll let that slide since there are bigger problems to address here.
Thirdly, would other people be able to access the film if I didn’t have ISA blocking that traffic for me? The Sky Anytime FAQ refers to a “delivery grid”, and says that no other end users will be accessing my PC directly (Q9 in section 6). However, item 6 on the kclean page says that “If you leave Kontiki on your PC, then any remaining Sky by broadband videos you have downloaded will continue to be ‘shared’ with other Sky by broadband users on the secure peer-to-peer network.” These two pages apparently contradict each other, which is a bit worrying.
I guess the moral of this story is to be careful about what you install on your computer, in case it’s doing sneaky things behind your back.