In an earlier blog post about DNS hijacks, we briefly touched on the hosts file. The hosts file is like your speed dial directory for the internet. Some systems only have a few numbers stored and others have lots of entries. What if someone was able to change that directory and you end up calling a one dollar per second number when you wanted to call a relative? Basically, that is what we will discuss here.
Where is the hosts file located?The actual location of the hosts file is stored in the registry under the key, HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters, in the value, DataBasePath. By default, this file’s folder location is (and has been since Windows NT/2000) %systemroot%SYSTEM32DRIVERSETC, where %systemroot% is usually the C:Windows directory.
What kind of file is it?The hosts file does not have an extension, but it can be viewed by opening it with Notepad (or something similar). To replace or alter the hosts file, you will need Administrator privileges, but every user has “Read” permissions.
Before resolving an internet request (to look up the IP that belongs to a domain name), Windows looks in the hosts file to see if there is a predefined entry for that domain name (the speed dial, remember?).
Possible reasons to change the hosts fileThese predefined entries in the hosts file can exist for several reasons:
Malware uses it for their own reasons, where the two most common ones are:
Consider for example the Trojan.Qhost variant that blocked access to several security-related domains. Historically, the MyDoom worm was the first to block security-related sites and Windows Update.
Recent examplesOne of the more blatant and ruthless methods to abuse someone else’s hard work is done by an adware that steals the hosts file that arguably is used most for ad blocking purposes and change it to redirect all the traffic to their own server.
The hosts file in question is the MVPS hosts file, and it is altered by an adware calling itself “Pakistani Girls Mobile Data”. In this screenshot, you can see the original on the left and the altered copy on the right:
The malware authors didn’t even bother to remove the header. They did replace the IP 0.0.0.0 with their own 188[DOT]138[DOT]17[DOT]135 and left it at that. Please note that the system on which this changed hosts file was installed by the malware does not have the MVPS hosts file before the infection. It is equipped with the default Windows hosts file. So, the malware did not alter a hosts file that existed on the system, but planted a hosts file that they downloaded and altered first.
Another that caught my attention is one that we have discussed before for another reason. At that point, I dubbed it Dotdo audio. This browser hijacker uses a lot of tricks and one of them are semi-randomized file-and-folder names. And, in what is most likely an attempt to stop people from checking their file in an online virus scan, they have decided to reroute the traffic to Virustotal.com.
Special mention One hosts hijack deserves some extra attention, simply because of the complexity of the method that is used. Some variants of Summary The hosts file is the internet variant of a personal phonebook. We discussed a few malware variants that replace or change that phonebook, so you end up calling the wrong sites. The ones they want you to call.File details
Pakistani-Girls-Mobile-Data.exe SHA256: 1058e4f356af5e2673bf44d2310f1901d305ae01d08aa530bc56c4dc2aecb04c
Malwarebytes Anti-Malware detects this file as Trojan.HostsHijack.
As always, stay safe out there and make sure you are protected.
Pieter Arntz
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.3