Hijacked hosts file is an internal security breach

Questions

Anti-virus websites are blocked.
Search engines are blocked.
When you try to open a website, some unexpected website loads.
Hosts file is hijacked.

Wiki for HOSTS file

The “hosts” file is a system file used to map hostnames to IP addresses.
By default, there is only one entry in the file.
127.0.0.1 localhost
With this setting, the actual website at http://127.0.0.1/ can be accessed when you enter http://localhost/ in browser.

How would you feel, if you type google.com is any browser and you land somewhere else.

Viruses may modify hosts file for silent phishing attack, blocking anti-virus websites, blocking search engines.

Example

The following modified hosts file will have two implications
Access to the website kaspersky.com will be blocked.
Access to the website google.com will redirect you to yahoo.com(98.137.149.56).
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

# Following redirections may be added by virus
127.0.0.1 kaspersky.com # This will block the kaspersky website
98.137.149.56 google.com # This will redirect to some other website(98.137.149.56), when you try accessing google

Example implementing modified hosts file

The Real Threat

Because of its role in local name resolution, the hosts file represents an attack vector for malicious software.
Viruses modify the hosts file to redirect you to malicious/fraud/unwanted websites when you try to open legitimate website.
On the web-browser’s address bar you will see the correct address that you have entered, but the actual contents will be from the malicious website.

Type 1 : DOS Attack

The file may be hijacked and modified to redirect traffic from the intended destination to sites hosting content that may be offensive or intrusive.
The virus W32.MyDoom@mm used this to create a distributed denial-of-service(DOS) attack in 2004.
http://en.wikipedia.org/wiki/Mydoom.B

Type 2 : Blocking Websites

Some viruses can block your access to the Anti-Virus websites using HOSTS file.
The installed anti-virus will be unable to update its virus-definition.
The search engines may be blocked to prevent you searching for the solution.
http://www.f-secure.com/v-descs/qhost.shtml

Type 3 : Phishing Attack

The banking/social networking websites may be redirected to phishing websites to steal credentials.
http://en.wikipedia.org/wiki/Phishing

Solution

Most of the anti-virus do not fix the hosts file due to complications and it has to be done manually.
Open the following directory
%windir%/system32/drivers/etc/
Create a backup file before you modify the hosts file.
Remove read-only property for hosts file.
Open the file in Notepad.
Delete all lines with suspected URL’s and IP’s contents.
Do not delete the following default line
127.0.0.1 localhost

Tags: , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: