what is a HOSTS file and why doesn't it lock it automatically


Userlevel 2
On that note, what is a HOSTS file and why doesn't it lock it automatically?
 
*edit for useful title after separating new topic from derailed conversation - admin

21 replies

Userlevel 7
The HOST file is used by the OS to map hostnames to IP Address.Certain programs will write to the HOSTS file so locking it isnt always a good idea. HOSTS file modification is an old skool way to get a browser to redirect, its less common these days used to see loads of it a few years ago. Spybot S&D used to write loads of entires to the HOSTS file its probably the most well known example. It really doesnt protect your PC that much really so not many AV products write to it anymore.
Userlevel 2
I'd say it's pretty important to stop redirects regardless of whether or not they are common.
Userlevel 7
Badge +56
@ wrote:
I'd say it's pretty important to stop redirects regardless of whether or not they are common.
But WSA's Web Threat Shield protects you so I always have my Hosts File at Default and let WSA Protect it from being changed by possible malware.
 
HTH,
 
Daniel 😉
Userlevel 7
Yup except added IP/Hosts names to the HOSTS file doesnt do anything anymore, its dead and nobody really does it anymore. Not even worth doing it.
Userlevel 7
Badge +56
@ wrote:
Yup except added IP/Hosts names to the HOSTS file doesnt do anything anymore, its dead and nobody really does it anymore. Not even worth doing it.
Some still use MVP Hosts files and Spyware Baster still adds to the Host file but like you said it's not used much anymore and I find no need so I check the box to protect the Host file under Core Systen Shield.
 
Thanks,
 
Daniel  😉
Userlevel 2
 For some reason it didn't quote properly.
 
"
But WSA's Web Threat Shield protects you so I always have my Hosts File at Default and let WSA Protect it from being changed by possible malware.
 
HTH,
 
Daniel http://webroot.i.lithium.com/i/smilies/16x16_smiley-wink.gif
Triple Helix"
 
 
 
That only works if they intend to use malware. The vector in the story below is only one possible. A redirection could be used.
 
You can find a vid of Luke talking about this on the We Are Change channel on youtube.
 
 
Attempted Setup of Luke Rudkowski
 
We Are Change
 
Jully 5, 2013
 
 
 
A few hours before making this video, Luke Rudkowski of WeAreChange.org received an email from an anonymous sender claiming to be a Bilderberg whistleblower with attached photos from inside the 2013 Bilderberg meeting at the Grove Hotel in Watford, England.
The email was sent to his personal email address that he has had since high school, not one of his work or WeAreChange email addresses. Luke opened the email from another computer and itl stated that he was a whistleblower and wanted Luke to break the story so he was sending him these photos exclusively and specifically stated that Luke needed to download the photos.
Fortunately before downloading, Yahoo gives a preview of the photos and the photos were actually graphic child pornography. Luke has had his computer searched by forensics when going into Canada to cover the G20 when they searched him and interrogated him for hours, something like this could happen again when we come back to the U.S. from travelling Europe.
Had this been the case, even with deleting, they would still find the images. There would be no understanding of the true story and he would be facing a felony charge. Besides that also completely jeopardizing his work, reputation and livelihood.
We wanted to make this public for Luke’s safety and also for people to be aware that this kind of thing happens. We do not know who this was, all we know is that it is so important for anyone in this line of work to remain extremely vigilant.
The email address was s27du23d@tormail.org. If anyone can help find out who this person is, it would be greatly appreciated.
 
 
Userlevel 7
Badge +56
Sorry cloud but you lost me. :@
 
Daniel
Userlevel 7
@ wrote:
Sorry cloud but you lost me. :@
 
Daniel
Me too.

Userlevel 2
If the web threat sheild protects you against malware, but doesn't protect against redirects, then how could it protect against something similar to the above (referring to the story I posted on the previous page) done through a redirect vector?
Userlevel 7
Badge +56
@ wrote:
If there web threat sheild protects you against malware, but doesn't protect against redirects, then how could it protect against something similar to the above done through a redirect vector?
That is true but no product is 100% and redirects are very common but if tries to download malware then WSA will jump in and detect the malware. So again I don't know what you are really asking here? WSA has many Shields for protection so no worries there. Maybe Roy can figure what your talking about!
 
Daniel
Userlevel 2
In the story I posted the payload to be delivered by the email vector (it could also be done by a redirect vector or probably many other vectors) was not malware but was actually even more malicious than malware.
 
If a software was not to lock the HOSTS file which would leave the computer vulnerable to redirects, then how would what happened in the story (concisely quoted below), done through a redirect type vector,  be mitigated by the software?
 
I was pointing this out to point out the fact that eliminating HOSTS file protection or not activating it is not very wise as the malware protection would be of no use in such an instance where if what happened to Luke were to happen through a redirect vector .
 
 
"
Fortunately before downloading, Yahoo gives a preview of the photos and the photos were actually graphic child pornography. Luke has had his computer searched by forensics when going into Canada to cover the G20 when they searched him and interrogated him for hours, something like this could happen again when we come back to the U.S. from travelling Europe.
Had this been the case, even with deleting, they would still find the images."
 
 
Thought I'd repost the whole story as I'm not sure it was read.
 
"
A few hours before making this video, Luke Rudkowski of WeAreChange.org received an email from an anonymous sender claiming to be a Bilderberg whistleblower with attached photos from inside the 2013 Bilderberg meeting at the Grove Hotel in Watford, England.
The email was sent to his personal email address that he has had since high school, not one of his work or WeAreChange email addresses. Luke opened the email from another computer and itl stated that he was a whistleblower and wanted Luke to break the story so he was sending him these photos exclusively and specifically stated that Luke needed to download the photos.
Fortunately before downloading, Yahoo gives a preview of the photos and the photos were actually graphic child pornography. Luke has had his computer searched by forensics when going into Canada to cover the G20 when they searched him and interrogated him for hours, something like this could happen again when we come back to the U.S. from travelling Europe.
Had this been the case, even with deleting, they would still find the images. There would be no understanding of the true story and he would be facing a felony charge. Besides that also completely jeopardizing his work, reputation and livelihood.
We wanted to make this public for Luke’s safety and also for people to be aware that this kind of thing happens. We do not know who this was, all we know is that it is so important for anyone in this line of work to remain extremely vigilant.
The email address was s27du23d@tormail.org. If anyone can help find out who this person is, it would be greatly appreciated."
Userlevel 7
I have no idea what your talking about I apologise? The guy got an email with a malicious link? Hosts file would stop that. The truth of matter is that adding IP`s to the HOSTS file isnt a viable option. Since most malware sites are only up for a few hours adding a IP doesnt add any level of realistic protection.
Userlevel 7
Badge +6
This issue appears to be outside the scope of an antimalware like Webroot.
 
Browser scripting protection is a whole other can of worms.
Userlevel 4
@, form what I understand, the person in the post got an e-mail that had attachments in it. It was not a like to another site or anything, just an attachment. The thing with that is no anti-virus software on the market can stop you from opening anything you get in an e-mail.
    Always keep in mind that the best thing to do is never open anything attached to an e-mail from a person that you do not know.
 
 
 
Shawn G.
Freindly Customer support rep.
Userlevel 2
That's what I was saying. In his case an email and attachment vector were used (or were attempted) to load his cache.
 
 
A redirect to a website could also be used do do something similar, could it not?
Userlevel 4
It could could sir. Again just keep in mind that the best practices is to not open anything from someone that you do not know. The big problem, and I know that we are working on it, is that there is no way to stop a redirect or a vector as they are not counted as a virus or malicious software. Yes the can be a pain but in the long run they are not meant to do anything but send you to a different spot on the net.
Userlevel 2
That sending you to a different spot on the net could have very severe consequences.
 
If you can defend against that at some point, I suppose you will have a new market. :D
 
 
You should also consider offering a secure DNS server with webroot on that note.
 
 
Also, how do you get this thing to quote? I can't seem to find the option to do that and I was under the impression for some reason that clicking on reply under the reply that one wished to quote would result in a quote. But that's not the case.
Userlevel 7
Since this is now a separate topic from what it started out as, we'll just make a new topic out of this conversation.  :)
 
Secure DNS you say?  Hmm... That's a good idea.  😉
Userlevel 2
Yup. Anything that can lock down the chain of input to output would be a good thing. I'm guessing the DNS server would be easy to do too?
 
 
 
You do all this, a secure DNS and stop redirects and you will have a very advertisable quality for a new market I think.
 
You should consider looking at it from that target market perspective and see what you can do to serve them. I'm sure there are many other things that could be done for them that I haven't thought of.
 
 
Userlevel 7
Badge +56
@ wrote:
Since this is now a separate topic from what it started out as, we'll just make a new topic out of this conversation.  :)
 
Secure DNS you say?  Hmm... That's a good idea.  ;)
I thought it was mentioned before but yes a Secure DNS for Webroot users would be nice and others could use it also if the cost is covered and not to much to maintain also it would have to be fast and not slow down the connection!



Daniel
Userlevel 7
@ wrote:
That's what I was saying. In his case an email and attachment vector were used (or were attempted) to load his cache.
 
 
A redirect to a website could also be used do do something similar, could it not?
This morning I received an email from "Standard Shipping" claiming that a package delivery failed and I needed to click the link to open the shipping documents. Obviously I knew this was not a legitimate email, and I love playing with this kind of thing. So, on a computer that I use for this kind of stuff, with only Webroot installed, I clicked the email link. It redirected my browser to a webpage which downloaded a .zip file. I analyzed the file and it is one of the newer ransomware trojans. I selected the .zip file to scan with Webroot. It immediately recognized the file and deleted it. I reloaded the file and when I unzipped it, Webroot detected it automatically. So, even though the email contained a link to a webpage to download a trojan, Webroot protected the computer.
 
The only thing I can see for improvement is the ability to have Webroot scan .zip files automatically like it does unzipped files.

Reply