Beware of ungracious hosts
Robert Vamosi April 11, 2005
Taking a page from virus writers, identity thieves could soon use a tiny file on your computer to redirect you to their fraudulent sites.
A few weeks ago, I wrote about a new trend among identity thieves called pharming, where whole domains are hijacked, and users unwillingly find themselves on familiar-looking yet fraudulent Web sites. Pharming exploits a weakness in how the current Internet is structured, namely the Domain Name System (DNS), which translates easy-to-remember URLs into the IP addresses that networks use to route data packets across the Internet. Since that column, I've been thinking about other ways to accomplish a similar feat. For example, rather than poison or change the data on a remote DNS server, why not use a common file on your computer to redirect your desktop computer somewhere else instead?
Internet Connection primer
Almost all Internet-connected computers -- Windows, Mac, Linux, even Unix -- use a hosts file (NB: this type of file has no extension).
Whenever you access a site on the Internet, instead of typing its IP address (say, 220.127.116.11), you simply type www.zdnet.co.uk.
Your computer must first learn the IP address of the server hosting the ZDNet site before it can connect, and it does so by asking a DNS server. As mentioned in my pharming column, identity thieves have been known to compromise DNS entries so that anyone trying to find www.yourbank.com
instead gets a very good replica located on a fraudulent Web site -- and all the while, the URL displayed on your address bar in your browser looks just fine to you.
But the TCP/IP protocol also allows for a hosts file to trump any DNS address query. Using Notepad or any text editor, you can view your own computer's hosts file contents. On a Windows machine, the hosts file is generally located within the Windows folder; on Windows NT, 2000 and XP, it's within a subfolder with your Windows drivers. A fresh hosts file should look something like this (and for the record, I don't recommend altering your hosts file):
# Copyright (c) 1998 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#'
# For example:
# 18.104.22.168 rhino.acme.com # source server
# 22.214.171.124 x.acme.com # x client host
Virus writers know about hosts files
Unfortunately, virus writers know that hosts files can block Internet address requests -- especially requests to view antivirus and security vendor Web sites. The recent Mytob virus is one that attacks the hosts file on Windows systems. Virus writers do this by associating the local host address of 127.0.0.1 next to the antivirus company's URL in the hosts file; 127.0.0.1 is a special loopback address for the machine you are currently using, which means that your request to go out onto the Internet to a Web site simply loops right back to your computer. Should you find yourself unable to reach an antivirus software company to obtain the latest antivirus signature file to contain or remove a virus, you might want to check your hosts file. In this one exception to the rule to not change your hosts file, I recommend first using a text editor to save the existing hosts file to something distinct, such as HostsOld, then delete all the blocked antivirus or security vendor associations (or mark them with #s to comment them out) and save the edited file as hosts (with no extension).
You might be thinking that you can also use your hosts file to block spyware and adware? You can, but I don't recommend it. Not manually. First, the list will be hard for you to maintain. Instead, I recommend downloading a free anti-spyware program, such as Microsoft AntiSpyware (Beta), Spybot or Ad-aware. Second, long lists within your hosts file often slow your computer's access to the Internet.
Scam artists also know about hosts files
You might also be thinking that if a hosts file can exclude, can it also redirect? Yes, it can. Say you have a favourite site called BrandX.com, and it has an archrival site called BrandY.com. BrandX.com lives at 123.456.00.00 while BrandY.com lives at 126.96.36.199. If someone were to alter your hosts file so that every time you typed BrandX.com on your browser it would return BrandY.com's site instead, you'd be cross, I'm sure. That alteration in your hosts file would look like this:
Unfortunately for you and me, scam artists are lazy. Rather than changing BankOne's DNS registration (which involves some social engineering and work), an identity thief or so-called pharmer could simply alter your hosts file instead. This would be a slow process, and updating individual computers would produce rather little profit. However, if a virus writer fell under the employ of a pharmer (or a spam merchant) and could somehow infect thousands, if not millions, of computers with a compromised hosts file, the rewards would be even greater.
Is this happening right now? Yes and no. In some countries, such as Brazil, malicious Trojan horses are redirecting users away from local banks and toward criminal sites, but this has yet to become widespread. And although a large-scale version of this attack (say, targeting many financial sites at once) hasn't happened, there's little reason to think it won't.
Any good antivirus product (such as Trend Micro's PC-cillin) that's kept up-to-date should keep your system safe. Better yet, try a good security suite (such as ZoneAlarm Security Suite 5.5), and you'll have all of your antivirus, firewall and anti-spyware bases covered.