On TechRepublic: 19 words you don't want in your resume

Search:
Go!


advertisementDell Desktop only $499; $230 off
Today on CNET
Reviews
News
Downloads
Tips & Tricks
CNET TV
Compare Prices
Blogs
Cell phones| Desktops| Digital cameras| Laptops| MP3 players| TVs| All Categories


Click Here
advertisement

Security Watch : Don't get burned by viruses and hackers
Beware of ungracious hosts (hosts files, that is)
E-mail to a friend
Send us feedback
TalkBack
TalkBack:
Add your opinion
By Robert Vamosi 
Senior editor, CNET Reviews
April 8, 2005

A few weeks ago, I wrote about a new trend among identity thieves called pharming, where whole domains are hijacked, and users unwillingly find themselves on familiar-looking yet fraudulent Web sites. Pharming exploits a weakness in how the current Internet is structured, namely the Domain Name System (DNS), which translates easy-to-remember URLs into the IP addresses that networks use to route data packets across the Internet. Since that column, I've been thinking about other ways to accomplish a similar feat. For example, rather than poison or change the data on a remote DNS server, why not use a common file on your computer to redirect your desktop computer somewhere else instead?

Internet Connection 101
Almost all Internet-connected computers--Windows, Mac, Linux, even Unix--use a hosts file (Note: This type of file has no extension).

Virus writers know that hosts files can block Internet address requests, especially requests to view antivirus and security vendor Web sites.

Whenever you access a site on the Internet, instead of typing its IP address of, say, 220.127.0.0, you simply type www.cnet.com. Your computer must first learn the IP address of the server hosting the CNET site before it can connect, and it does so by asking a DNS server. As mentioned in my pharming column, identity thieves have been known to compromise DNS entries so that anyone trying to find www.yourbank.com instead gets a very good replica located on a fraudulent Web site--all the while the URL displayed on your address bar in your browser looks just fine to you.

But the TCP/IP protocol also allows for a hosts file to trump any DNS address query. Using Notepad or any text editor, you can view your own computer's hosts file contents. On a Windows machine, the hosts file is generally located within the Windows folder; on Windows NT, 2000, and XP, it's within a subfolder with your Windows drivers. A fresh hosts file should look something like this (and for the record, I don't recommend altering your hosts file):

# Copyright (c) 1998 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 Localhost

Virus writers know about hosts files
Unfortunately, virus writers know that hosts files can block Internet address requests, especially requests to view antivirus and security vendor Web sites. The recent Mytob virus is one that attacks the hosts file on Windows systems. Virus writers do this by associating the local host address of 127.0.0.1 next to the antivirus company's URL in the hosts file. 127.0.0.1 is a special loopback address for the machine you are currently using, which means that your request to go out onto the Internet to a Web site simply loops right back to your computer. Should you find yourself unable to reach an antivirus software company to obtain the latest antivirus signature file to contain or remove a virus, you might want to check your hosts file. In this one exception to the rule to not change your hosts file, I recommend first using a text editor to save the existing hosts file to something distinct, such as HostsOld, then delete all the blocked antivirus or security vendor associations (or mark them with #'s to comment them out) and save the edited file as hosts (with no extension).

You might be thinking, hey, can I also use my hosts file to block spyware and adware? You can, but I don't recommend it. Not manually. First, the list will be hard for you to maintain. Instead, I recommend downloading a free antispyware app, such as Microsoft Antispyware (beta), Spybot, or Ad-aware. Second, long lists within your hosts file often slow your computer's access to the Internet.

Scam artists also know about hosts files
You might also be thinking, OK, if a hosts file can exclude, it can also redirect, right? Yes, it can. Say you have a favorite site called BrandX.com, and it has an archrival site called BrandY.com. BrandX.com lives at 123.456.00.00 while BrandY.com lives at 122.222.0.0. If someone were to alter your hosts file so that every time you typed BrandX.com on your browser it would return BrandY.com's site instead, you'd be steamed, I'm sure. That alteration in your hosts file would look like this:

122.222.0.0 BrandX.com

If someone were to alter your hosts file so that every time you typed BrandX.com on your browser it would return BrandY.com's site instead, you be steamed, I'm sure.

Unfortunately for you and me, scam artists are lazy. Rather than changing BankOne's DNS registration (which involves some social engineering and work), an identity thief or so-called pharmer could simply alter your hosts file instead. This would be a slow process, and updating individual computers would produce rather little profit. However, if a virus writer fell under the employ of a pharmer (or a spam merchant) and could somehow infect thousands, if not millions, of computers with a compromised hosts file, the rewards would be even greater.

Is this happening right now? Yes and no. In countries such as Brazil, malicious Trojan horses are redirecting users away from local banks and toward criminal sites, but this has yet to happen in the United States. And while a large-scale version of this attack (say, targeting many financial sites at once) hasn't happened, there's little reason to think it won't.

Protection
Any good antivirus product that's kept up-to-date should keep your system safe. Better yet, try a good security suite, and you'll have all of your antivirus, firewall, and antispyware bases covered.

Will pharming and phishing attacks succeed in undermining your confidence in online financial services? Why or why not? Talk back to me.

Security Center
Top antivirus apps
From CNET Reviews
Top antispyware apps
From CNET Reviews
Virus and security alert forums
From CNET Message Boards




4/1/05
IM viruses finally come of age

3/21/05
Criminal hackers reach beyond Windows and Internet Explorer

3/15/05
Who you callin' spyware, spyware?

More commentary


More commentary
Buzz Report
Molly Wood
Taking a bite out of hype.
Security Watch
Robert Vamosi
Don't get burned by viruses and hackers.
Fully Equipped
David Carnoy
The electronics you lust for.
On Call
Kent German
Solutions for your wireless woes.
Driving It
Wayne Cunningham
What's hot and what's not in car tech.

TalkBack
2 messages

Article discussion: Beware of ungracious hosts (hosts files, that is)

Post a comment

Latest post:

"HOAX:Beware of ungracious hosts hosts files"
by cliff carusa (See profile) - May 27, 2005 11:38 AM PDT
While the "hosts" file exists in windows and unix/linux systems its access is controlled by security measures that prevent hackers on unix variant OSes. But, the MS-Windows OE is w... (Read more).
Sort by: Title |
Date
| Most helpful

host files

I just switched from dialup to cable and the last few days it seems that every f... (Read more)
by star_wolf1 (See profile) - April 18, 2005 8:32 AM PDT
Help Center|Newsletters|Corrections|What's New|All Product Reviews|
Search:
Go!

Popular topics: Apple | Antivirus | Cell Phones | Dell | Digital Camera | Firefox 3 | Games | iPhone | iPod | iTunes | Laptops | Norton | PS3 | Verizon | Wii | Xbox 360
CNET.com
About CNET|Today on CNET|Reviews|News|Compare prices|Tips & Tricks|Downloads|CNET TV
Popular on CBS sites: World News | Fantasy Football | Amy Winehouse | Baseball | E3 | Batman | Firefox 3 | iPhone 3G
About CNET Networks | Jobs | Advertise


© 2008 CNET Networks, Inc., a CBS Company. All rights reserved. | Privacy Policy | Terms of Use