I read something like that in Fred Langa's newsletter on March 11. here it is 3) ... And An Old Kind Of Scumware Returns We've written previously about software that abuses your "Hosts" file: The Hosts file is mainly meant to be used on a LAN; it tells your PC the fixed numeric address of the internal server--- Host--- you need to connect to. But some less-than-stellar internet speedup software tries to shave a few fractions of a second off your Internet connections by placing the numeric IP of external web sites in the Hosts file so your browser won't have to look up the name and address externally. This works---as long as the site's numeric IP address never changes. But IP addresses *do* change--- and they're supposed to be able to. The Web operates via "dynamic" naming, where a human-friendly name (such as "www.langa.com") is actually an alias for a numeric address (in this case, 64.41.108.95). The numeric address can and will change from time to time as a site is moved or reconfigured. People with out-of-date addresses hardwired into their Hosts file can no longer connect to any site whose address has changed--- the Hosts entry is permanently pointing them to a dead location! There's lots more information on Hosts file abuse at http://search.atomz.com/search/?sp-a=0008002a-sp00000000&sp-q=evil+hosts . But the reason I bring it up now is a note from frequent contributor Suresh Ramasubramanian that discussed a new twist on that technique: It's a fake email greeting card notification that contains a link you're supposed to click to see the actual card. But when you click on the link, you get an error message saying something like "Sorry, We are closed for scheduled maintenance. Please come back in a few hours to view and send your postcards." The error message is fake. What really happens is that the page runs a script that creates a new Hosts file that associates the names of many popular sites--- hotmail, yahoo, google, microsoft, icq, msn, netscape, aol and dozens of others--- with the numeric address of a spam/p o r n site: Any time you enter, say, "www.microsoft.com," the Hosts file kicks in and substitutes the spam/p o r n address, and your browser then obediently takes you there instead of to the site you intended. Good anti-scripting security will prevent the script from running in the first place. But here's how you can recover from this or any kind of Hosts file abuse: If you have trouble connecting to a site you know should be there, or if a site that should be OK is delivering content you know is not normally part of that site, use NotePad to examine the contents of your Hosts file in the Windows directory. If you're on a LAN, your system administrator can tell you if you really need entries in the Hosts file, and what they should be; delete any others. And if you're not on a LAN, chances are you don't need the Hosts file at all. Rename it HOSTSBAK or something similar, reboot, and see what happens. Chances are, the only thing that will change is that you may be able to connect to sites that were giving you trouble. But, if it turns out you do need the Hosts file, just rename it back to Hosts. If you wish, you can also try setting your known-good Hosts file to Read- Only, so no software can alter it without your knowledge. (By the way, HOSTS.SAM is a fake sample HOSTS file placed in the Windows directory by default. It's not involved in any of the foregoing; you can ignore it.) ----- Original Message ----- From: "David Tan" <dtanat_private> To: <incidentsat_private> Sent: Tuesday, April 02, 2002 9:31 AM Subject: Unknown Hosts file > > > I have a client machine running Windows 2000 > Professional. All of a sudden, one day, the user was > unable to access several of the most popular > websites (i.e. google, yahoo, cnn, etc.). I noticed that > the machine was attempting to access the wrong IP > address for all the websites, in fact, it was attempting > to access the SAME IP address for every website in > the group. After some research, I found there was a > Hosts file with all the domains in question listed, and > the erroneous IP address. Has anyone ever come > accross an incident where a virus or trojan would > place a Hosts file onto a system. I have thoroughly > scanned the machine for viruses, open ports, etc. > and found nothing. Is there anything else I should be > on the lookout for? > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 02 2002 - 09:39:13 PST