Can we believe our eyes? Another Hosts story

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
.
Can we believe our eyes? Another Hosts story topic here ..

Can we believe our eyes? Another story… : on blogs.technet.com : http://blogs.technet.com/b/mmpc/archive/2012/02/23/can-we-believe-our-eyes-another-story.aspx

QUOTE:
'In Windows, the “hosts” file (located in “%SystemRoot%\System32\drivers\etc” directory by default) is often used by malware authors when hijacking websites. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malware authors make changes to affected users’ Hosts files to redirect specified URLs to different IP addresses of the author’s choice. In August last year, I blogged about malware authors using Unicode characters in the hosts file filename, in order to trick users and hide the real hosts file. However, it seems that malware writers never stop doing their malicious work. This time, they’re using another trick to mislead people.

Several days ago, one of my friends wanted to buy something from Taobao, which is one of the most popular online trading platforms in China ..'
 

malbky

Level 1
Jun 23, 2011
1,011
WOW a small loophole exploited. Classic cybercrime. I think that person surfs illegal websites probably. He may have contracted the infection from somewhere. Thanks Prorootect for the share as I gained some new knowledge. I would recommend all tech savvy and non tech savvy users to read it. I once more shows the importance of an hips.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
These days most of the modern tools have provided to fix any hijack host file, on that case its really needed to be vigilant cause anything will be compromise and be glad if your realtime protection will detected any changes.
 

Gnosis

Level 5
Apr 26, 2011
2,779
Is Hosts really a concern unless you have been infected and are getting redirected as a result? To me, it seems useless to sweat the hosts file. Am I missing something here? My point is; isn't everything ok as long as you are not infected, thus not getting redirected? It is obvious to me if I am getting redirected while browsing. The gist is, imho, that it seems like host file maintenance is for extremely inexperienced users that don't have sense enough to know that they are being redirected, or for users that have had some malware manipulate the hosts file, which is the same result as the former.
 

malbky

Level 1
Jun 23, 2011
1,011
Yes thats exactly my point. That person has contracted malware from somewhere and if he had a good av or any av at all this exploit would have been detected. But i know a few who still cant make out are they being redirected or not as they do not pay attention to details. I once had a trojan i dont know from where it can which started redirecting me too a facebook page. But a close look showed the facebook missed an o. It was "facebok". So this is yet another incidence where ignorance was exploited and also brings another point to the forefront that such attacks are becoming common. As per I know most of the Av's behavioral blockers will detected changes to host files.

So yes no need of sweating it out but it amused me to read the article.
 

Gnosis

Level 5
Apr 26, 2011
2,779
Cool. Thanks for clarifying things for me. I had to make sure I was not missing some crucial aspect with regards to our topic. I am accustomed to being astute, even when I am just playing around on the internet, though I definitely realize and understand one's reasoning for relaxing and enjoying themselves to where they might miss that "missing letter" or redirect.
 

MrXidus

Super Moderator (Leave of absence)
Apr 17, 2011
2,503
It's not just the Hosts file one should be concerned about. I re-call the change of DNS within Adapter settings and lets not forget the Proxy connection changing within IE settings.

If I'm cleaning an infected machine that is getting re-directs, I check the Hosts, DNS and Proxy settings.

If none are causing it I will assume it's a rootkit / move onto Kaspersky Rescue CD.
 

Gnosis

Level 5
Apr 26, 2011
2,779
I have heard from a reliable source that the most effective way to deal with the latest "ZERO ACCESS" rootkit is do scan with KBRD and then go directly to Safe Mode and scan with ComboFix. Then clean up with MBAM, HitMan Pro, etc.
 

malbky

Level 1
Jun 23, 2011
1,011
Thanks ZOU1. Usually for rootkits I use gmer in safe mode. I heard that Avast incorporates Gmer technology in their Anti rootkit. I read this on their web page, cant find where. Once i find i will post a link.
Dns and proxy redirection are both tough to do and usually your av may catch it. But once done its difficult to know what has been done. First and foremost thing once you suspect an infection stop doing online transactions or logging into gmail or fb. IT as good as opening your vault and giving the keys to the bad guys.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top