Dealing with Hosts File Poisoning

A common spy ware and pop-up tactic these days is hosts file poisoning.  Hosts file poisoning involves injecting new entries for Internet sites into a computer’s hosts file, so that web site requests are either rerouted to another site or simply return a “Page Not Found” error.

I first encountered this little trick when getting rid of some spyware and adware on a friend’s computer.  I tried to go to a popular anti-virus site to download the latest anti-virus definitions, and was constantly routed to another site filled with the typical pop-up ads for a variety of products.  I then did the typical things you’d do to help fix the problem, like dumping the Internet cache, cookies, and history, making sure my DNS was properly configured and working, and checking the browser’s settings.  When that didn’t work, I started looking a little bit deeper.  After a couple of minutes, I realized the problem was a bit simpler than some new form of malware.  It was an issue with the computer’s own hosts file.  For those of you who may not have messed around with the hosts file before, here’s a little background:

In the good old days before DNS was commonly used for host name resolution, computers used host files, which are simple text files, to resolve host names to IP addresses when accessing other computers or Internet sites.  These static text files contained mappings of Internet IP addresses to the destination computer’s host name or web site. When users requested access to those computers by host name, the host file was checked, and if an entry for that computer or site was found, it was resolved to an IP address, just as DNS does today.

As a holdover from those days, Windows computers still have and check the hosts file during the name resolution process. By default, the computer checks the hosts file first, before attempting to resolve the name through DNS.  If it finds an entry for the name, it uses that entry and does not try DNS.  On most computers there are no entries in the hosts file, except for the local loopback address, so name resolution proceeds normally through DNS.

A favorite tactic by those folks who send you tons of pop-ups and other annoying forms of malware is to put entries into the file, so that your computer will resolve certain names with it instead of going on to DNS.  On the computer I mentioned above, I found no less than about 100 entries in this file.  In addition to entries rerouting just about every common page you could think of, like web-based email and news sites, to other sites, the entries also rerouted popular anti-virus sites back to the computer’s own loopback address.  This would result in any attempt to get to those sites being redirected back to the computer itself and getting a “Page Not Found” error.  This meant that my friend would never be able to get updates to his anti-virus software.

The quick solution is to simply get rid of those entries and reboot, so the computer will re-read the file, but that doesn’t permanently fix the problem, of course.  It could get poisoned over and over.  So there are a few other steps you can take to make sure that this tactic can’t be used against you again.

If you don’t really have a need for the file, you could rename it to something else so it wouldn’t be read as the hosts file.  I experimented with this on a Windows XP SP2 box, and it didn’t seem to affect my name resolution.

On computers running Windows NT, 2000, XP, and 2003, this file is located in the %systemroot%\system32\drivers\etc folder. Just rename it; I wouldn’t recommend deleting it entirely, since one day you may actually have a need for it.  Then set the folder containing it to “read only” for the folder and all subfolders and files.

On the other hand, if you think you do have a need for it, at least mark the file as “read only” and change the permissions on it.  This at least may keep it from being altered by anyone except you, if you so desire.

In any case, when trying to get rid of spyware, adware, and those pesky pop-ups, I’d add checking the hosts file to my troubleshooting list, and you’ll have one more way of fighting malware!