DNS Windows hosts file hijack

Today we present you another way for hackers to hijack your data.

Using a malware from an email or from an infected webpage, the intruders simply modify your hosts file (from /windows/system32/drivers/etc)

By making some changes here the intruder will have a few choices on what to do next. Now all depends on what did he need.

The most common intrusion on the hosts file it is combined with another changes made in your registry and your browsers. But simply modifying this small file could divert your request to another web sites.

What it is DNS and how is working.

Normal when you make a request, for example www.facebook.com the Domain Name Service servers will transform the name into some numbers, in our case it could be 31.13.80.49

Now think that each day you access your webmail, the news websites, your social media accounts and more. How to keep in mind so many numbers. Also some servers, including Facebook have more  than one IP. Pretty difficult, isn’t it?

OK, but where are all those servers? The servers are in Data Centers. Normal there it is enough security to not get hijacked.

But why should I have a hosts file if the DNS Servers are in Data Centers?

The hosts file it is a part of IP (Internet Protocol). It is there from a long time ago and it exists also in other Operating System, includin Linux based OS. With this file the administrator of your system could divert some traffic to a specific IP or could deny the access to a website.

dns_hijackAnd  what’s happening more exactly when my hosts file it is hijacked?

Good question with a lot of answers. Let’s take some of the worst cases. Your hosts file it is hijacked. When you type the address of your work webmail the hosts file will direct you to the hacker’s server. Once you are not very careful, you will type your user name and the password. Next the hacker will keep the info typed by you on their own database.  So until now you have the red arrows from the image. After the hacker hijacked your date he could choose to forward your request to the real servers, sending also the credentials inserted by you using the yellow line. Everything take a few seconds, so you will not observe that your data it is now available to hacker. You could click on the image for full screen zoom.

 

 

But we know very well that a lot of words and pics without an example does nothing you have below a movie.

 

As you could see we open first the Google page on google.com.

After that we are opening as administrator the c:\windows\system32\drivers\etc\hosts file. We need to do this as administrator to have the rights to write the file.

We put inside this file the IP of Facebook both for www and no www version of Google.

After that we open the same browser, pointing to the same address and voila: now we are going to Facebook home page, not Google.

It is not magic, it is just a little play with the hosts file. After this demo we edit again the hosts file, delete the two IP and save the data. Everything come back as magic.

Evidently that a hacker will make a page like www.google.1.com * So you will not see big difference. If the website it is not https (encrypted) you will also not see any important changes on your web bar.

So what to do?

The best you can do it is to stay away from malware. Even the Windows build-in antivirus it is good to keep you away from some   troubles.

The second: try to use an antivirus which lock the hosts file. A free exemple it is Avira

Use non administrator on your windows. Create a normal user without administrator role. After all when you want to install something you could type the administrator password, not so difficult.

Try to speak with a security team for your office in order to have the best solution for your business

 

———————

*1.com it is just an example, it was never connected with any hacks

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *