What is the Hosts file? Just one of many files?

The topic of computer security is so complex that even the most advanced users are not aware of all the possible Malware hiding places. The Hosts file is one of the lesser known possibilities. This can be especially misused for so-called Pharming attacks, a special form of Phishing. What this is and how it works are explained in the following text.

Let us go back in time somewhat and recall the days when the Internet was still called ARPANET and consisted of only relatively few computers. Even in these early days all computers in the network were assigned a unique number, their IP address. This can be viewed as an exact identifier for a computer in a network, similar to a telephone number. Humans however, are much better at recognizing proper names than strings of numbers, especially when these are 4 sets of three numbers as used in IP (Internet Protocol) addresses. These days, the DNS (Domain Name System) servers provide a service translating (e.g.) www.emsisoft.com into the IP address, which is then used to access exactly this computer containing the Emsisoft website. In the days of ARPANET, the DNS system did not exist. This was instead done by – you guessed it – the Hosts file.

In itself, the Hosts file was very unspectacular – and it still is. This is an unformatted text file containing the domain names and their IP addresses next to each other. When you want to address a particular computer, the operating system “looks” first in the Hosts file, obtains the relevant IP address, and then uses this to contact the computer/server at this address. You can understand why these days this is done using DNS; it would be a huge logistical problem to constantly update all entries on all computers in the Internet, especially given the growth rate of the net. However, a Hosts file still remains on your computer, as a sort of relic from earlier days.

Windows 2000 or XP users will usually find the Hosts file in the directory c:\windows\system32\drivers\etc\. You may perhaps ask – how can this be damaging? The file in itself is not damaging. However, its contents can cause damage. Your computer – or more accurately, your operating system – still uses the Hosts file, in addition to DNS, to locate the addresses of particular servers. Assume that you do Online Banking with a particular financial institution. To do this, you visit a particular website that, like all websites, has a particular IP address. If someone changes the Hosts file on your local computer so that it contains the name of this Online Banking website, then your computer is redirected and does not land at the intended website. With a small amount of criminal energy, an attacker can reproduce the layout of your bank website on their own server, and then redirect you to this server via the Hosts file. They can then enjoy receiving your personal data, such as login, password, and your PIN of course, all the data that you would normally enter into the true banking website without exercising any extra caution.

These attacks are called “Pharming” in technical circles. Attackers use a small Malware program that infects as many computers as possible and modifies the Hosts file. In normal cases this attracts very little attention, since many anti-malware programs do not generate an alarm and do not notice the changes. The target of these attacks does not always have to be your Online Banking access: Ebay accounts or Webmail addresses such as GMX/Web.de are also favorite targets. The Hosts file can also be misused to circumnavigate anti-malware or anti-virus updates. The attempt to contact the update server of the relevant software supplier is simply redirected to another server. The protection program does not receive any new signatures and updates, and can no longer recognize and remove the pest that modified the Hosts file.

Naturally, as usual we do not wish to just highlight a potential danger but also offer you a means of protecting yourself. The simplest option is to regularly look at your Hosts file and check for changes. At the very least, you should regard it as suspicious when entries for your banking website or Ebay appear in this file. Emsisoft HiJackFree offers you a convenient way of examining and editing the Hosts file.

As of version 2.1, Emsisoft Anti-Malware also includes Hosts file monitoring. As soon as the contents of this file are changed, Anti-Malware raises an alarm and allows you to remove the changes if you wish. This gives Malware no chance of redirecting you to the wrong website.

Have a Great (Malware-Free) Day!