A HACKER CAN HIGHJACK YOUR BROWSER’S ADDRESS BAR
Beginners' Kaffee Klatch Presented by Bill Wilkinson May 9, 2009
The authors of viruses, worms, and Trojan Horses are always looking for creative ways to subvert the security and privacy of your system. An innovation of the hacker is to deliver a worm that can take over the address bar of your browser. This exploit makes it appear that you are visiting one site — such as your online bank — whereas you are actually visiting a bogus site that just happens to look exactly like your online bank’s site. When you type in the Web address (Uniform Resource Locator) for your financial institution, e.g. Citibank or Wells Fargo, your credit card company, or perhaps a site like eBay or Amazon, your request is hijacked and you are taken to a cracker’s site that looks exactly like the home page of the site to which you intended to be taken. This kind of Internet worm hijacks the Hosts file (see box below), a Windows file that finds a requested remote computer on the Internet as an alternative to using a domain name server (DNS). Unfortunately, it is this file that crackers are subverting in order to re-direct a specific site that you may type into your Internet browser. The Hosts file is like an address book. When you type an address like www.citibank.com into your browser, your Hosts file is consulted to see if you have the IP (Internet Protocol) address, or "phone number," for that site stored there. If you do, then your computer will "call it" and the site will open. If not, your computer will ask your ISP's (internet service provider) computer for the phone number before it can "call" that site. Most of the time, you do not have addresses in your Hosts file because you have not intentionally put any there. Therefore, most of the time your computer asks for the IP address from your ISP to find sites. Here’s how it works: A worm places the bogus Website in your HOSTS file. This file is always checked first by Windows when you attempt to go to the Internet. If your requested Website’s domain is listed there, Internet Explorer will not go to the authentic site, but rather will be diverted to the bogus site. For example, Citibank.com has an authentic address of 192.193.214.1. The bogus address placed there by the worm may be any other series of four sets of numbers (for example: 255.255.255.255) established as a temporary address by and for the intruder, to be abandoned once he gets enough hijacked information from you and his other victims.
1 of 5
�How can you stop this from happening?
Solution #1:
Place the HOSTS file as a shortcut on your desktop and access it periodically to make sure that it has not been hijacked. Access your HOSTS file, which is located at C:\Windows\System32\Drivers\Etc. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. Open Windows Explorer (Windows key + E) Left-click on the + sign to the left of the Hard Drive icon (usually C:) Left-click on the + sign to the left of the Windows folder. Left-click on the + sign to the left of the System32 folder. Left-click on the + sign to the left of the Drivers folder. Left-click on the Etc folder. This action will open the folder and reveal the HOSTS file. Double-click on the HOSTS file. A Windows dialogue box will appear, stating that “Windows cannot open this file.” Choose “Select the program from a list”, then click OK. From the program list that follows, select Notepad and then click OK. Delete everything except the statement: 127.0.0.1 localhost. Save the file back to its original location (Ctrl + S). Close Notepad. Now right-click on the HOSTS file, move down to Send to, then left-click on Desktop (create shortcut). When you return to your desktop, you will find a shortcut file to HOSTS that you can open periodically (in Notepad) to check for any intrusions. The only statement that you need to have in your HOSTS file is: 127.0.0.1 localhost. If other statements appear, remove all that have something other than the 127.0.0.1 address!
16.
Solution #2:
Make Your Hosts File Read Only. First, you need to know how to find your hosts file. The file’s name is simply hosts, with no extension. As stated earlier, you will find the hosts file by following this path: C:\WINDOWS\SYSTEM32\DRIVERS\ETC.
2 of 5
�Once you've located your hosts file, open it in notepad to check for any entries that do not have the 127.0.0.1 address reference. Remove all that have something other than the 127.0.0.1 address. Once this “housecleaning” task is completed, a quick and easy way to lock the hosts file down is to make it a read-only file. Simply right-click the file and choose Properties from the context menu. Click the read-only check box at the bottom of the Properties window, then click OK. Remember that you made it readonly, because in the future you may need to temporarily allow changes for some program installs.
Solution #3:
You can set your Hosts file to associate the industry's most well known troublemaking host names with internal addresses. Doing this stops third party Internet parasites from accessing the Web. You can do this by associating every single one of these host names with an internal address of 127.0.0.1. Associating the name with this address causes the service to never leave your local computer, but rather loop back to your computer, thus never contacting the bogus site where your privacy and security could be placed in harms way. You can use your hosts file to redirect malware servers so your PC will never see intrusions from them. Techies in “white hats” (the good guys) have compiled lists of these malware servers and put them into the hosts file format. Then when one of these nasties wants to “phone home”, the malware server is redirected to 127.0.0.1, the IP address for your own computer. A customized HOSTS file is an excellent weapon if something malicious gets on your computer. Often, malicious programs write themselves into the Registry when they infiltrate a computer. Even after their files are deleted, they are able to go to the Internet and download new files. That's why they constantly reappear. The HOSTS file blocks this garbage when it tries to access the Internet. So, although the lines are still in the Registry, the malicious program cannot re-generate itself. You will find a highly regarded customized HOSTS file at http://tinyurl.com/2t7zq. 1. 2. 3. 4. After you reach the site, select the entire contents of the site (CTRL + A) Then copy the entire contents of the site (CTRL + C). Now locate the HOSTS file by following the steps listed in Solution #1 above (C:\WINDOWS\SYSTEM32\DRIVERS\ETC.). When you have located the HOSTS file, open it in notepad.
3 of 5
�5. 6.
Place your insertion bar on a blank space below the file’s last line and paste (CTRL + V). Close the HOSTS file and confirm that you want to replace the original file.
To facilitate easy periodic updating (this particular customized HOSTS file is updated about twice each month), you may wish to place a shortcut of the Etc folder on your desktop. Follow these step-by-step procedures: 1. 2. 3. 4. 5. 6. Right-click an open area on your desktop. Click New. Shortcut. Browse to: C:\Windows\System32\Drivers\Etc and click Next. Name the shortcut Etc. Click Finish.
You now have a shortcut folder called Etc on your desktop. You can open it to take you to the HOSTS file that is buried several levels below the surface of your operating system.. A Large HOSTS File Can Slow Down Your Web Surfing. It is true that a large HOSTS file can slow Web surfing in Windows XP. This issue can be remedied by turning off your computer’s DNS Client (Domain Name Server). The DNS Client stores a list of IP numbers for Web sites you’ve visited. The computer searches the stored list before contacting the DNS server. Your computer may be slow because it’s searching through this cache AND the HOSTS file. The HOSTS file is necessary. The DNS cache is not. To change this, click Start>>Run. Enter services.msc in the box. Right-click DNS Client and select Properties. Click the down arrow beside “Startup type” and select Manual. Click OK and restart the computer. This keeps the DNS Client from loading at startup.
And Finally:
A HOSTS file complements your anti-virus and anti-spyware software programs. It does not replace them. If you need anti-virus and anti-spyware programs, you'll find highly-rated free ones at http://scscc.com/bkk/ProtectionfromtheNasties.pdf. You'll find a list of free firewalls on this page as well. As always, protecting yourself requires a mix of programs.
4 of 5
�Other Related Notes:
Spybot Search and Destroy (an anti-malware program) will add malicious Websites to your Hosts file to provide extra protection against worms. SpywareBlaster will perform a similar function.
5 of 5
�