Hosts File vanished again !

Discussion in 'Virus Information' started by RJK, Apr 29, 2009.

  1. RJK

    RJK Guest

    Earlier I Googled "Samsung 2053bw" and flitted through some web sites,
    spending a couple sof minutes, reading reviews, on several of them,
    ....then quit IE7 and went into the house for a coffee, and came back out
    here to my little office to find a small IE7 pop-out window displaying a
    roulette wheel from www.888.com

    So I shot straight off to my etc directory to find that my regualarlyy
    updated hosts file from
    http://www.mvps.org/winhelp2002/hosts.htm had vanished, rather/or, had been
    renamed to hosts.bak ! ...and that's happened a couple of time during the
    past few months !

    So, annoyingly, I can't pin down which web site took that particular liberty
    !

    I've just installed Spybot S&D, which has just given me "its'" clean bill of
    health, and will now "Immunize" in order to lock my hosts file into
    place.

    Any tips on preventing external forces from tampering with my hosts file
    would be appreciated,
    atm ...I use AVG 8 Internet Security Suite fully updated, Windows Defender,
    ....XP Home ed. SP3+ btw

    Currently IE Internet Security Zone is set to "Medium," ...nightmare trying
    to leave it set on High, i.e. unable to download occasional necessary/safe
    files, even from sites that have been added into the Trusted Sites zone -
    one has to drop Internet security Zone to Medium in order to download
    anything at all !

    TIA,

    regards, Richard
     
    RJK, Apr 29, 2009
    #1
    1. Advertisements

  2. http://techblissonline.com/make-hosts-file-in-windows-read-only/
     
    FromTheRafters, Apr 29, 2009
    #2
    1. Advertisements

  3. RJK

    ~BD~ Guest

    That sounds like an excellent idea - I have *never* seen this
    recommended before!

    Does it work?
     
    ~BD~, Apr 29, 2009
    #3
  4. RJK

    1PW Guest

    IIRC, the Immunize process within Spybot-S&D is competitive with the
    HOSTS file installation from the mvps.org site. Although there's a lot
    of overlap in the two versions, they aren't the same. I believe a merge
    utility exists, but that will add some complexity.
    Hello Richard:

    Although the process that deleted your HOSTS file may have been through
    your IE browser, a better & supplemental browser like Firefox might
    later become your browser of choice. If your IE isn't already at IE7, I
    would upgrade at your earliest convenience. I believe you should also
    consider another possible attack vector for your HOSTS deletion.

    Along with FTR's fine advice, you may wish to employ one or more free
    /additional/ antimalware scans besides the fine Spybot-S&D:

    MBAM: <http://www.malwarebytes.org/mbam-download.php>
    SAS: <http://www.superantispyware.com/>

    Please update this thread with your progress.

    Regards,

    Pete
     
    1PW, Apr 29, 2009
    #4
  5. Thank you Dave.
    -=-


    Ǝиçεl
    -=-

     
    Ǝиçεl, Apr 29, 2009
    #5
  6. Some other programs might lose their functionality if they require write
    access to the hosts file. If you use some 'safer browsing' software that
    keeps your hosts file up-to-date with the latest nefarious domain names,
    it might not be able to update the file.

    I may be alone in this, but I don't use the hosts file at all (except
    possibly to define "localhost" as 127.0.0.1).
     
    FromTheRafters, Apr 29, 2009
    #6
  7. Which, unfortunately, doesn't solve the real problem. Something is
    abusing the functionality that the hosts file provides. Someone can't
    live with more secure browser settings - trading one nightmare for
    another.
    This might indeed do it, thanks for pointing them out.
     
    FromTheRafters, Apr 29, 2009
    #7
  8. RJK

    d935 Guest

    ....thanks, but, for years, as a matter of routine, after dropping a
    new hosts file into etc , I always turn on the read only file
    attribute - i.e right-click filename and tick the read only box, so
    whatever renamed it to hosts.bak has obviously overridden that read
    only file attribute ...somehow.
    ....as an afterthought, I'm not sure what AVG Internet Security Suite
    does, or does not do to the hosts file !

    regards, Richard
     
    d935, Apr 29, 2009
    #8
  9. RJK

    d935 Guest

    Hello BD

    ....I'm wondering if there is a routine in AVG which tinkers with, and
    tries to protect the hosts file in some way ? ...I don't think there
    is !
    If there is, then it isn't doing a very good job because www.888.com
    is listed in the mvps hosts file. That a pop-out window from www.888.com
    appeared on my desktop is simply an indication that my hosts file has
    been disabled/altered.renemaed etc ...which was the case.

    Annoyingly, if I leave IE7's Internet security Zone set to high,
    sciplets on web pages such as ebuyer.com will not work.

    regards, Richard
     
    d935, Apr 29, 2009
    #9
  10. RJK

    Geoff Guest

    It's an old remedy but it doesn't work very well in 99% of systems.
    Not if you are administrator on the computer. It will slow a malicious
    program down for about 0.5 milliseconds.

    Try these lines from a command prompt window:

    cd %systemroot%\system32\drivers\etc
    C:\WINDOWS\system32\drivers\etc> attrib
    C:\WINDOWS\system32\drivers\etc> attrib hosts +r
    C:\WINDOWS\system32\drivers\etc> attrib
    C:\WINDOWS\system32\drivers\etc> attrib hosts -r
    C:\WINDOWS\system32\drivers\etc> attrib

    Note: your system root might not be WINDOWS.

    Notice the state of the file attributes after each attrib command. If
    the state changes then you have essentially no protection benefit from
    making the hosts file read-only. A malicious program could execute the
    same functions by interfacing with the file system.

    Browsing from administrator-rank accounts is dangerous.

    If you want real protection you must set the read-only attribute from
    an admin account and then do all your work from a non-admin account to
    prevent these kinds of vulnerabilities. This way your non-admin
    account can't alter files it doesn't own or isn't supposed to touch.

    Many "protection" programs modify the hosts file to block known
    malicious domains and then lock it down with read-only (like
    SpyBotS&D's immunize), they also have to behave as above and make it
    writeable to update it. If they can do it, so can the bad guys. The
    problem with this blocking technique is that it is retroactive rather
    than proactive, a bad site has to be identified there before it can be
    blocked and you will always be playing catch-up and doing updates.
     
    Geoff, Apr 29, 2009
    #10
  11. RJK

    ~BD~ Guest

    You're *not* alone, FTR - I don't use it either! ;)
     
    ~BD~, Apr 29, 2009
    #11
  12. RJK

    ~BD~ Guest

    Thanks for your comments, Geoff

    I'll try to remember what you have said next time I'm using Windows!
     
    ~BD~, Apr 29, 2009
    #12
  13. RJK

    Geoff Guest

    It's already read-only for non-root users in Mac systems (rw-r--r--).
    When you are non-root you can't write to it.

    Under Linux or OS/X, in a telnet or Terminal session use:

    cd /etc
    cat hosts

    to see the contents of the hosts file. User accounts cannot modify the
    attributes. (And they wouldn't be able to do it in Windows either if
    MS had started out correctly securing the system to begin with.)

    Use of hosts is largely obsolete now. DNS is wide spread and one
    seldom needs a local name lookup. If you wanted to you could edit it
    for a small LAN to refer to hosts by name without a local DNS server.
    (assuming all the IP's are static)

    The hosts file was a hack when TCP/IP was new and there were no DNS
    servers. The early machines kept track of each other's names through
    it and updates were often distributed in emails to all the hosts on
    the system. Of course, this was when there were only a few dozens of
    hosts on the network. :) Once DNS was operational the hosts files
    became redundant but it's still part of the name lookup process, which
    is why it can override names and protect you when properly used.

    With the advent of x86 based Macs, it's time for some basic
    protections, it won't be long until there are enough of them with
    enough vulnerabilities to be worth the attention of bad guys and
    research for exploits in Safari and other browsers will begin in
    earnest.
     
    Geoff, Apr 29, 2009
    #13
  14. RJK

    John Doe Guest

    try hoster.exe; it locks the file . . .
     
    John Doe, Apr 29, 2009
    #14
  15. Use my Remove-it software, it will modify and protect your hosts file from
    changes by making it read only. Choose yes for all options when prompted.
    Download it here http://www.ms-mvp.com



    --
    The Real Truth http://pcbutts1-therealtruth.blogspot.com/
    *WARNING* Do NOT follow any advice given by the people listed below.
    They do NOT have the expertise or knowledge to fix your issue. Do not waste
    your time.
    David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
     
    The Real Truth [MS MVP], Apr 29, 2009
    #15
  16. ....thanks, but, for years, as a matter of routine, after dropping a
    new hosts file into etc , I always turn on the read only file
    attribute - i.e right-click filename and tick the read only box, so
    whatever renamed it to hosts.bak has obviously overridden that read
    only file attribute ...somehow.

    ***
    That's the problem with executing malware - it can do or undo whatever
    you can. Limit yourself and you can limit the malware's scope in most
    cases.
    ***
    [...]
     
    FromTheRafters, Apr 30, 2009
    #16
  17. RJK

    Leythos Guest

    And you won't be able to access many reputable anti-malware sites after
    you run his pirated and hacked code. Butts himself has stated that he
    blocks access to known reputable sites with his tools.
     
    Leythos, Apr 30, 2009
    #17
  18. From: "Leythos" <>



    | And you won't be able to access many reputable anti-malware sites after
    | you run his pirated and hacked code. Butts himself has stated that he
    | blocks access to known reputable sites with his tools.

    Richard is too smart to touch anything from Butts as well as the fact changing the
    attribute of the file to Read-Only is worthless.
     
    David H. Lipman, Apr 30, 2009
    #18
  19. My solution is better than yours. Oh that's right you did not have a
    solution. Why did you register my email address for Spam?
    http://pcbutts1-therealtruth.blogspot.com/



    --
    The Real Truth http://pcbutts1-therealtruth.blogspot.com/
    *WARNING* Do NOT follow any advice given by the people listed below.
    They do NOT have the expertise or knowledge to fix your issue. Do not waste
    your time.
    David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
     
    The Real Truth [MS MVP], Apr 30, 2009
    #19
  20. RJK

    BoaterDave Guest

    I'm at the edge of my comfort zone here, Geoff!

    How can one deduce whether or not one is root or non-root users in Mac system?

    What does this mean please? - (rw-r--r--).

    When I was posting on the User2User newsgroup at Annexcafe.com I was
    'informed' by the Moderator there - Roy C - that he used only a Hosts file
    for his total protection and that nothing else was necessary. I'm afraid that
    I didn't believe him! ;)
     
    BoaterDave, Apr 30, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.