The Anti-virus Times

Wednesday, March 15, 2023

In today's issue of the Anti-virus Times, we will analyse a matter that is far from new but still relevant. A short survey conducted among our users confirmed that a very common threat detected by the Dr.Web anti-virus is an infected Hosts file. Many of our readers probably know or have at least heard about this file, which is stored in Windows system directories. And some even know what dangers this quite legitimate file holds and why it is a tempting morsel for attackers. But very often users are unaware of either of those facts. And if an anti-virus suddenly reports a detected threat, for example DFH.HOSTS.corrupted or Trojan.Hosts (different anti-virus vendors use different names, but the essence is the same) — it is better to know and understand what we are dealing with.

The Hosts file is present not only in Windows, but also in other operating systems, and performs the same functions everywhere. Years ago, at the dawn of the computer network era, its contents ensured that a network operated correctly. However, in modern operating systems, users rarely interact with this file directly. The file itself and its functionality still exist, but its use has long been optional. Therefore, the Hosts file is often just located inside the OS and for the entire period from its installation to its removal, it exists unchanged.

However, this is not always the case. The Hosts file can be used by malware and cybercriminals to mount efficient network attacks. In our issues, we have already mentioned such concepts as a faked DNS, a man-in-the-middle attack, or "man in the middle", and we have talked about infections of home routers. In fact, these are different ways to achieve the same goal — to direct the user to a false address where attackers will be waiting for them. But there is another way to do almost all the same things — with the help of a malicious modification of the Hosts file.

To make this AVT issue more interesting, we will briefly tell you how this file works and why it is needed. In computer networks that operate via the TCP/IP protocol, IP addresses are used as addresses for sending blocks of information (packets). Each host in the network, whether a server or a client, has its assigned IP address. For example, drweb.com is available at 178.248.232.183. Now imagine that you need to remember and type this address to visit the site. Not very convenient, is it? Especially when you consider the number of sites we visit every day. Therefore, the domain name system, also known as DNS (domain name system), was invented to translate network addresses that a computer understands into names that are convenient for a person to use. DNS allows a computer to obtain an IP address from its domain name and determine which host to send a network query to. Therefore, the IP addresses correspond to the domain names.

Before DNS appeared, the Hosts file was the only database that contained information for translating host names to network addresses and vice versa. Now this task is performed by DNS servers and the corresponding service running on a local computer. For example, when you type the usual name of a site in your browser's address bar and click "Enter", the browser does not know which node you need to send your request to. To get the address, the browser requests a special service — a DNS client that operates on your computer. This is where it starts getting interesting.

To get a network address, the service searches for sources in the following order:

1. The Hosts file.
2. Its own cache.
3. The DNS server whose address is specified in the settings of the network adapter.

As we can see, the Hosts file is designed to map domain names to IP addresses. But what is more important is that the file comes first in the list; that is, it has priority over the service’s cache and access to the DNS servers. If the Hosts file does not have a matching record, everything works without it — the DNS service will get the IP address from other sources. That is why many users are unaware of the existence of such a file. It’s another matter if it does contain records.

Due to it having highest priority, the illegal modification of the Hosts file poses a serious threat. After all, a certain record made in the file will force any program, including the browser, to send requests to the specified network addresses, which can be the servers of attackers. For example, to conduct a phishing attack, cybercriminals can add a record that maps the legitimate name of the site with the IP address of their phishing site. Trojans can also act similarly with the goal of modifying the Hosts file. In addition to phishing dangers, such actions are an important help for attackers when conducting man-in-the-middle attacks. As we have already said, the main thing is to guide the user along the wrong path, and many other options for developing an attack scenario can exist.

With the help of Hosts, one can also block access to any site or network node. To do this, a certain domain name acting as a network address is mapped to the so-called localhost — the local address of the computer — 127.*.*.*. (usually 127.0.0.1). In this case, when trying to connect to the specified node via the domain name, the computer refers to itself. Using this method, illegal activators block programs from accessing activation servers.

Of course, the Hosts file still has an application value. It can be used to configure the extension of Internet names within a local computer network. This configuration is usually done by network administrators, and the story about this is beyond the scope of this article.

So, we found out that modifying the Hosts file can harm security. How does the anti-virus protect the user from this threat? Let's consider the protection mechanisms with regards to Windows that are used in Dr.Web Security Space. To protect Hosts, the anti-virus controls access to it at the preventive protection level; in addition, Dr.Web Scanner detects any changes and cures the file. These levels of protection work independently of each other. By default, preventive protection blocks access to the Hosts file, protecting it from changes, including modification by the user. If the file was modified before the anti-virus was installed or while it was shut down, Dr.Web Scanner detects the infected Hosts and cures it. It is important to note that so-called “blocking records” — those that block access to a particular site or network node on the Internet by sending requests to localhost — are subject to curing.

The high level of control that preventive protection provides virtually eliminates the file’s ability to be modified even by an unknown trojan. However, if a user excludes the file from preventive protection scanning or adds an application capable of modifying the file to the list of trusted ones, Dr.Web Scanner will still analyse and cure the blocking records in the file. This approach is implemented for comprehensive file protection and user security. As noted above, the independent modification of the Hosts file by an ordinary user is an extremely rare phenomenon. But making attempts to change the file illegally is a much more common practice. That is why priority is given to reliable protection, rather than freedom of action with the mysterious Hosts.