Hijacked hosts file is an internal security breach

Questions

Anti-virus websites are blocked.
Search engines are blocked.
When you try to open a website, some unexpected website loads.
Hosts file is hijacked.

Wiki for HOSTS file

The “hosts” file is a system file used to map hostnames to IP addresses.
By default, there is only one entry in the file.
127.0.0.1 localhost
With this setting, the actual website at http://127.0.0.1/ can be accessed when you enter http://localhost/ in browser.

How would you feel, if you type google.com is any browser and you land somewhere else.

Viruses may modify hosts file for silent phishing attack, blocking anti-virus websites, blocking search engines.

Example

The following modified hosts file will have two implications
Access to the website kaspersky.com will be blocked.
Access to the website google.com will redirect you to yahoo.com(98.137.149.56).
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

# Following redirections may be added by virus
127.0.0.1 kaspersky.com # This will block the kaspersky website
98.137.149.56 google.com # This will redirect to some other website(98.137.149.56), when you try accessing google

Example implementing modified hosts file

The Real Threat

Because of its role in local name resolution, the hosts file represents an attack vector for malicious software.
Viruses modify the hosts file to redirect you to malicious/fraud/unwanted websites when you try to open legitimate website.
On the web-browser’s address bar you will see the correct address that you have entered, but the actual contents will be from the malicious website.

Type 1 : DOS Attack

The file may be hijacked and modified to redirect traffic from the intended destination to sites hosting content that may be offensive or intrusive.
The virus W32.MyDoom@mm used this to create a distributed denial-of-service(DOS) attack in 2004.
http://en.wikipedia.org/wiki/Mydoom.B

Type 2 : Blocking Websites

Some viruses can block your access to the Anti-Virus websites using HOSTS file.
The installed anti-virus will be unable to update its virus-definition.
The search engines may be blocked to prevent you searching for the solution.
http://www.f-secure.com/v-descs/qhost.shtml

Type 3 : Phishing Attack

The banking/social networking websites may be redirected to phishing websites to steal credentials.
http://en.wikipedia.org/wiki/Phishing

Solution

Most of the anti-virus do not fix the hosts file due to complications and it has to be done manually.
Open the following directory
%windir%/system32/drivers/etc/
Create a backup file before you modify the hosts file.
Remove read-only property for hosts file.
Open the file in Notepad.
Delete all lines with suspected URL’s and IP’s contents.
Do not delete the following default line
127.0.0.1 localhost

Heal Pendrive v2.0 uploaded

Heal Pendrive v2.0

Download
Finally i finished the v2 for HealPendrive. It has a user friendly GUI and many useful features.

Features:
*This tool can be used to remove virus/suspected files from pendrive.
*Instructions are provided at the botom of each step.
*Build on VB.net, this application is much superior to the previous v1.0
*Improved “hunt-and-delete” has been integrated in this version.
+Automatic selection for connected pendrive.
+Details for the selected drive.
+Displays contents of autorun.inf
+Individual options to fix registries.
+Calls CHKDSK utility to detect and fix bad sectors.
+Most appreciating “hunt-and-delete” feature with multiple options.

Whats not:
-Files marked for deletion are deleted permanently.(not sent to Recycle Bin)
-Registry change is not reversible.
-This tool only to be used on removable drives.

Whats coming:
*Safely remove drive feature in the next builds.

New Release: Safely Remove Pendrive

Taking out pendrives without safely removing,
 may corrupt file system on pendrive
 and may make the pendrive completely unrecognizable and unusable.
So, you should always Safely Remove Pendrive before pulling it out.

Many times when you try to eject a pendrive it gives an error.
‘ Problem Ejecting USB Mass Storage Device ‘

Eg, if you are playing a song from pendrive and you try to safely remove, it won’t.
 media player, explorer.exe, etc. access the files and folders on pendrive,
 even if you stop playing them.
Also many viruses accesses the autorun.inf file and virus files in your pendrive.
This tool will help you to close the handles of the processes
 which are accessing files on pendrive.
So that you can safely remove the pen drive.

Download Link
http://piyushlabs.googlepages.com/SafelyRemovePendrive.zip

regsvr.exe / rundll.exe / ‘Microsoft CorpAration’ virus details & heal uploaded

It has been quite many days. People have been reporting about this new virus. Thanks to Muthu Kumar, who sent me the virus file for find out the heal.

I really like this virus. It creates a lot of files and make a lot of registry changes. Finding the solution was really challenging. It is built with AutoIt , version unknown. Latest update of kaspersky do not detect this virus, unless it is scanned thoroughly.

not-a-virus:Monitor.Win32.007SpySoft.q       -> rundll.exe
Worm.Win32.AutoIt.s                                           -> regsvr.exe

The “Microsoft Corparation” tag is really confusing. Mind it, its Corp’a’ration, not Corp’o’ration … he he

I wont say my heal is totally complete, but still some more work i’m supposed to do with it, probably to fix some more registries that i still know what they do. Overall my heal will end task the virus files and restore most of the registries.

This virus/trojan keeps complete look on  the system, by taking snap shots every 30 seconds. Suppose u hav this virus for 30 days,just think how much space it will eat. lol

Like the recent coming viruses, even this virus makes exe file inside every folder with the name of the parent folder. (BUT only in the removable drives, this is what i found). It spreads via pen drives, leaving regsvr.exe, New Folder.exe, autorun.inf files in the root directory of pen drive and other <folder named> files inside.

So here is the solution…
https://piyushlabs.wordpress.com/regsvr/

Heals for ntde1ect mahsa and nhatquanglan uploaded

Sorry for being too late. Semester exams ahead. God, help me.

I have uploaded the heals for ntde1ect.com (avpo) , mahsa, and nhatquanglan… You can download them from the download page.

I didn’t want to upload the heals, coz i want people to fix the virus problems by themselves manually so that they could learn and fight for any new virus that may arrive. All the solutions have common steps/procedure. A little bit of knowledge abt some registries, and managing startup items can solve most of the problems…

The heal for nhatquanglan may not completely heal your comp, as there seems to be many varients of the virus. Reply back, whether it works or not. Well it works on my comp : )

Uninstalling Linux

i was just trying to use linux, i had installed two weeks ago.

Fist i had Sabayon, i like its 3D beryl effect… its awesome. But it was very unstable and often crashes. So then i installed PCLinux replacing previous linux, it got all the features but it was unable to write on ntfs drives 😦

Now i wanted to uninstall even this one. What i did, in winXP i just formatted the drives in which linux was installed.

Then o’ my god. It was showing some grub loader error. I understand i shouldn’t have done like that, coz thats not the right procedure (now i know).

Thanx to Gaurav mota, he helped me fixing the problem. What he did, just boot the comp using win XP cd, and delete the linux partition, and create it again… dats all… and everything is normal again.

 Now, m thinking of installing Solaris 10,… hope no problem.. he he…

Softwares (HEALS) uploaded !!!

Atlast today i have uploaded my antivirus for ssvichosst, nhatquanglan, orkut virus (microsoftpowerpoint.exe) ,etc. These are just virus removers and do not provide any protection from the viruses again. These are programs written in C/C++ by me and are free to use and distribute. The size of these HEALS are just a few KB’s.  It simply does the troubleshooting as you can do yourself by following my step by step procedure. You can remove the viruses with these small softwares 🙂

https://piyushlabs.wordpress.com/downloads/

solution for nhatquanglan found

i had to install this virus to find out what does it do. Then i found out the step by step solution fot this. it spreads deadly via LAN. When i installed , it sent its offsprings to all the accessible shared folders on the network. Here’s how you can fix the problem

https://piyushlabs.wordpress.com/nhatquanglan-new-folder-svchost/

(more…)