forging phonebooks

Hosts file hijacks

In an earlier blog post about DNS hijacks, we briefly touched on the hosts file. The hosts file is like your speed dial directory for the internet. Some systems only have a few numbers stored and others have lots of entries. What if someone was able to change that directory and you end up calling a one dollar per second number when you wanted to call a relative? Basically, that is what we will discuss here.

Where is the hosts file located?

The actual location of the hosts file is stored in the registry under the key, HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters, in the value, DataBasePath. By default, this file’s folder location is (and has been since Windows NT/2000) %systemroot%SYSTEM32DRIVERSETC, where %systemroot% is usually the C:Windows directory.

What kind of file is it?

The hosts file does not have an extension, but it can be viewed by opening it with Notepad (or something similar). To replace or alter the hosts file, you will need Administrator privileges, but every user has “Read” permissions.

Before resolving an internet request (to look up the IP that belongs to a domain name), Windows looks in the hosts file to see if there is a predefined entry for that domain name (the speed dial, remember?).

Possible reasons to change the hosts file

These predefined entries in the hosts file can exist for several reasons:

  • Blocking: some people (who are oftentimes unaware that hosts files can be installed by their security programs) use them to block unwanted sites by connecting malicious or otherwise unwanted domains to the IPs 127.0.0.1 or 0.0.0.0 that both point at the requesting system itself, so in effect there will be no outgoing traffic for these requests.
  • Pointing: for example, system administrators use the hosts file to map intranet addresses.

Malware uses it for their own reasons, where the two most common ones are:

  • To block detection by security software: for example, by blocking the traffic to all the download or update servers of the most well-known security vendors.
  • To redirect traffic to servers of their choice: for example, by intercepting traffic to advertisement servers and replacing the advertisements with their own.

Consider for example the Trojan.Qhost variant that blocked access to several security-related domains. Historically, the MyDoom worm was the first to block security-related sites and Windows Update.

Recent examples

One of the more blatant and ruthless methods to abuse someone else’s hard work is done by an adware that steals the hosts file that arguably is used most for ad blocking purposes and change it to redirect all the traffic to their own server.

The hosts file in question is the MVPS hosts file, and it is altered by an adware calling itself “Pakistani Girls Mobile Data”. In this screenshot, you can see the original on the left and the altered copy on the right:

hostscompare

The malware authors didn’t even bother to remove the header. They did replace the IP 0.0.0.0 with their own 188[DOT]138[DOT]17[DOT]135 and left it at that.  Please note that the system on which this changed hosts file was installed by the malware does not have the MVPS hosts file before the infection. It is equipped with the default Windows hosts file. So, the malware did not alter a hosts file that existed on the system, but planted a hosts file that they downloaded and altered first.

Another that caught my attention is one that we have discussed before for another reason. At that point, I dubbed it Dotdo audio. This browser hijacker uses a lot of tricks and one of them are semi-randomized file-and-folder names. And, in what is most likely an attempt to stop people from checking their file in an online virus scan, they have decided to reroute the traffic to Virustotal.com.

dotdohosts

Special mention

One hosts hijack deserves some extra attention, simply because of the complexity of the method that is used. Some variants of
hosts

Summary

The hosts file is the internet variant of a personal phonebook. We discussed a few malware variants that replace or change that phonebook, so you end up calling the wrong sites. The ones they want you to call.

File details

Pakistani-Girls-Mobile-Data.exe SHA256: 1058e4f356af5e2673bf44d2310f1901d305ae01d08aa530bc56c4dc2aecb04c

Malwarebytes Anti-Malware detects this file as Trojan.HostsHijack.

detection

As always, stay safe out there and make sure you are protected.

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.