-
April 22nd, 2011, 10:00 AM
#11
Yes, I have seen Hosts files that have been modified and sometimes hidden by malware. What strikes me as odd is that Bob rebuilt the file.........surely Windows would complain if you try to create a file of the same name in the same directory.............or at least warn you if you were going to replace an existing file?
Also, in the cases I have seen, the users were pretty well aware of the redirects and complained about them? I suppose it could be some sort of bungled or incompatible malware though.
On XP machines I tend to use Tall Emu's Online Armor.............it requires you to give permission to modifications of the Hosts file as well as running new processes and other changes. It is basically a combined firewall and behavioral monitor and is free for private use.
Ordinary applications installation and updates are fine as it will remember authorised programs and even has an application installation mode. You need to turn it off before applying Windows updates though, or it gets very annoying
-
April 23rd, 2011, 04:46 PM
#12
a moot point just FYI
Originally Posted by TG2
wow. on the net long enough ... you're bound to see it all.... I poke, of course, but really you're that on most of the time..
So.. Hosts file ... operates like hosts on linux, the default for windows is to check the hosts file first then resolve via DNS ... any entry in the hosts file in windows that is setup with #PRE at the end of the line, causes windows to preload that entry
ie. 127.0.0.1 some.adserver.com #PRE
And agreed, that its odd the cracker/spammer/malware would delete the file, more likely to either wipe out the file and add its own redirections ...
In windows the preloading of information is done in lmhosts.sam with the #PRE ext.
i don't find it that odd as many spam blockers use hosts to keep the nasties out
Last edited by Ted0b1; April 23rd, 2011 at 04:58 PM.
-
April 28th, 2011, 08:43 AM
#13
I have seen this before, in Windows if you have antivirus software it sometimes hides the hosts file. In the folder %SystemRoot%\system32\drivers\etc\ when searching for hosts file make sure that you display hidden files and system files. You will probably notice the hosts file being renamed to something else. Hopefully its still there.
----------------------------------------------------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford
-
April 28th, 2011, 06:20 PM
#14
i don't find it that odd as many spam blockers use hosts to keep the nasties out
Sure, and if they find the Hosts file is missing they will most likely send an error message. That's why I would expect an amendment to the file rather than its deletion, or renaming, as it is less likely to attract attention before the malware has had a chance to do its job.
I have seen this before, in Windows if you have antivirus software it sometimes hides the hosts file.
From what Bob has said all the machines are running the same AV, yet only 2 out of 7 have had the problem.
Similar Threads
-
By Irongeek in forum The Security Tutorials Forum
Replies: 0
Last Post: September 2nd, 2005, 05:23 PM
-
By xierox in forum Other Tutorials Forum
Replies: 0
Last Post: March 5th, 2005, 05:34 AM
-
By Nokia in forum Tips and Tricks
Replies: 0
Last Post: June 12th, 2004, 05:13 PM
-
By ali1 in forum The Security Tutorials Forum
Replies: 27
Last Post: January 1st, 2004, 11:59 AM
-
By xmaddness in forum The Security Tutorials Forum
Replies: 9
Last Post: August 6th, 2003, 09:57 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|