I.T. Mate
                                       Extranet
Menu: Home | About | Articles | Blog | Contact Us | Downloads | News | Search | Services | Support

hphosts logo
Services
hpHosts HOSTS file
sGB Hosted Guestbooks
sURL URL redirection
vURL Webpage dissection

Homepages
I.T. Mate
AB Archive
hpHosts Blog
hpHosts Online
Phishing Scams
Product Support
sURL
vURL Online

Friends ...
BugHunter
FSpamlist
Helen Benoist
Wrightway Computers

MVPLogo
Articles

Sunday 22 January 2006 - A HOST'ed computer is a happy computer!
A HOST'ed computer is a happy computer!
By Steven Burn

Unless you have been on vacation on Keflar 12, you will no doubt already be aware of the increase in phishing e-mails, malware infected downloads and websites, and all things generally bad for your computer. 2005 has seen a major increase over the past several years, and it is going to get much worse (why?, things always get worse).

Some people in the security community seem to believe simply changing browsers will prevent infections, however - and this is the funny part, the last few months have proven this is anything but true!. So what do you do?, download a ton of anti-malware? - always a good idea (well, maybe not a ton, but two or three real-time monitors would be a good idea), perhaps you should switch to Linux? - nice, but not practical (and is only less suspectible whilst it's less popular), I know, lets all go out and purchase that all singing all dancing monkey! - thats right, now I'm just being silly.

One of the most over-looked ways of protecting your computer, is by preventing where it can go. The easiest ways of doing this is by using a filter.

By no means a complete solution, the HOSTS file is a default part of Windows and whilst still suspectible to abuse (i.e. malicious software can modify it at will, even when marked as "Read Only"), with a little help from Scotty, can help protect your computer by limiting the site's it can and cannot load.

Though applying to far more than just the browser, I'm going to use the browser in this example to keep things simple.

So for example, if Joe Bloggs wanted to go to snapfiles.com, he would usually just type "snapfiles.com" into the browsers address bar. But wait, what if his system administrator knew that site was bad? (it's not, it's actually a brilliant site). Well, if his administrator wanted it to be blocked, he could just add it to the "Restricted Sites" zone of his browser right?, but then Joe could just use a different browser.

Whilst not trying to be too technical, the HOSTS file works by acting as an inter-mediate between your "client" (not just the browser), and the outside world (i.e. anywhere that is NOT inside your computer). So for example, if Joe's administrator added the following entry into the HOSTS file, NOTHING could access snapfiles.com, be it a browser, an instant messaging program or a malicious application;

127.0.0.1 snapfiles.com

When a connection from your computer is attempted, one of two things occur, depending on how it is configured (both occur by default);

1. Windows looks at the entries in the HOSTS file
2. Windows looks at the DNS (Domain Name System) addresses in the registry

It usually looks in the HOSTS file first, to see if it can cheat and match the hostname (i.e. snapfiles.com) to it's IP (Internet Protocol) address (8.10.179.160). If it cannot find an entry for it in the HOSTS file, it then goes onto look in the registries DNS entries, if it still cannot find it, it will then query your ISP's (Internet Service Providers) DNS servers.

Because in this example, the HOSTS file contains an entry for snapfiles.com, with an IP address of 127.0.0.1, Windows will stop looking and simply use that address, so instead of the browser going to snapfiles.com, it will re-direct the request to your computer. This is because 127.0.0.1 is a reserved address for internal use only (i.e. it is only used by the computer, for the computer, nothing else). As an example, if you typed the following into your browsers address bar, you would (unless you are running a web server) see either "Page cannot be found" or "No web site is configured at this address".

http://127.0.0.1/

The only thing that lets the HOSTS file down is the fact it cannot map IP addresses to other IP addresses (i.e. it cannot map 127.0.0.1 to 0.0.0.0), the reason for this escapes me, but I'm sure Microsoft have excuses for it.

So now I've bored you senseless with details of how the HOSTS file works, where exactly do you get the HOSTS file from?, and how do you get it onto your computer?.

Getting the HOSTS file

The most common and most popular HOSTS file are:

MS MVPS HOSTS: http://www.mvps.org/winhelp2002/hosts.htm
hpHosts - http://www.hosts-file.net

I personally prefer hpHosts, not only because I am an administrator for their forums (that didn't come until much later (and to be honest, is a decision that still has me baffled)), but because it contains many more host addresses (42,318 as of 08-01-2006) than alternatives and thus, provides greater protection against malicious websites.

hpHosts is a community managed and maintained HOSTS file, meaning YOU help manage it's content. Updated fairly frequently, hpHosts prevents against the loading of malicious, pornographic, spammer and "phishing" websites by mapping all of the host addresses, to your computer (remember what I said above about 127.0.0.1?).

Installing the HOSTS file

The HOSTS file is stored in a single location so is relatively easy to locate.

For Windows 95, 98 and Windows ME

%WinDir%\HOSTS

For all others (including Windows XP)

%WinDir%\System32\Drivers\etc

*%Windir% is a system variable that points to the Windows (aka WinNT) folder.

To prevent accidental deletion, this file is usually hidden from the casual viewer using the "System" attribute. There are two simple ways to remove this, again depending on your version of Windows.

By far the easiest, is by using a "DOS" command window. To access this, you would go to Start > Run and type:

Windows 95, 98 and Windows ME

command

All others (including Windows XP)

cmd

When this window appears, you would enter the following (pressing return after each line) to access the folder containing the file.

For Windows 95, 98 and ME

cd %windir%
attrib -s -r -h hosts
exit

For all others (including Windows XP)

cd %systemroot%\system32\drivers\etc
attrib -s -r -h hosts
exit
imgRemAttribHosts_tm.gif

The last line ("exit"), once enter is pressed, then closes the window for you. All in all, this process takes approximately 1-2 seconds (depending on how fast you type of course). Of course, you could dispence with the "cd" command and just issue the attrib command directly;

For Windows 95, 98 and Windows ME

attrib -s -r -h %windir%\hosts

For all others (including Windows XP)

attrib -s -r -h %systemroot%\system32\drivers\etc\hosts

*%Windir% is a system variable that points to the Windows (aka WinNT) folder.

Once those attributes are removed, you can then edit the file to add the new content.

Editing the HOSTS file

To edit the HOSTS file manually, click Start > Run. Then enter the following;

For Windows 9x/ME;

notepad %windir%\HOSTS

For all others (including Windows XP)

notepad %systemroot%\system32\drivers\etc\hosts

NB: %systemroot% is the system variable for the Windows folder on NT and above systems.

IMPORTANT: As the HOSTS file does not have an extension, you must ensure you DO NOT save it with one!!

Protecting the HOSTS file from malware

Unfortunately, for all of the solutions it provides, the HOSTS file has one major weakness, and thats the fact it can be edited at will, by anything or anyone. The best way to protect against this is to use a monitor to prompt you to allow or disallow, changes to the file.

WinPatrol
www.winpatrol.com

Third party applications

For those less inclined to edit the HOSTS file manually, the following are excellent FREEWARE programs that allow you to do this.

Hosts file manager: http://mvps.org/PracticallyNerded/Software.htm
DNSKong: http://www.accs-net.com/hosts/DNSKong.html
Hostess: http://accs-net.com/hostess/
Hostsman: http://pwp.netcabo.pt/0413933601/hostsman.html

To toggle the HOSTS file usage by Windows (enabled/disabled).

HostsToggle: http://accs-net.com/hosts/HostsToggle/

Third party HOSTS files

hpHosts*: http://www.hosts-file.net
MVPS: http://www.mvps.org/winhelp2002/hosts.htm

* An online (searchable) database of the hpHosts file is also available at:

hpHosts Online
http://www.hosts-file.net

Further information

Further information on the HOSTS file, how to use it, and what it can do for you, can be found at;

What is the HOSTS file?
http://www.accs-net.com/hosts/what_is_hosts.html

Blocking Unwanted Parasites with a Hosts File
http://www.mvps.org/winhelp2002/hosts.htm

HOSTS File: Wholesale blocking
http://castlecops.com/article-5660-nested-0-0.html

The HOSTS file, and what it can do for you
http://www.bleepingcomputer.com/forums/tutorial51.html

Protecting the HOSTS file
http://antivirus.about.com/od/securitytips/ss/hosts.htm

NetBIOS Name Resolution Using DNS and the HOSTS File
http://support.microsoft.com/?kbid=142309

Problems using Internet Explorer with an incorrect HOSTS file
http://support.microsoft.com/?kbid=219843

Differences between the HOSTS and LMHOSTS files in Windows NT
http://support.microsoft.com/?kbid=105997


This article was originally published January 8th 2006 on the TeMerc Internet Countermeasures forums

<< Back to Articles Discuss this article

Archives: 2003 | 2004 | 2005/6

Sophie Lancaster Foundation

End User Licence Agreement | Help Us | Privacy Policy | Terms of Use
Copyright 1998 - 2017 I.T. Mate - All Rights Reserved