Detailed Information

Hosts file – Directs and Blocks Web Site Traffic

What is a Hosts file?

Simply, the Hosts file is like an address book. The Hosts file is used by your operating system as a quick way of resolving hostnames (www.example.com) into IP addresses (123.234.1.2).  Normally, when you type a web site hostname into your browser, your Domain Name Server (DNS) – an internet server whose purpose is to connect a user’s browser to a web site server - is queried to obtain the necessary IP address to make the connection.  If a local system Hosts file is present, it takes precedence over an external DNS server and is used first to look up the addres. It is also a faster lookup at that.

For example: Assume the following entry is in the local system hosts file:

192.168.0.12      www.microsoft.com

If you enter “www.microsoft.com” in the Internet Explorer address bar, Windows uses the hosts file or next, a DNS Server on the internet to resolve the entry to IP address 192.168.0.12. Your browser is directed to that address. We see and use the alias www.microsoft.com but the actual address is 192.168.0.12.

However, it is possible to alter Hosts files so that the Web site may not be the one you expected. Some spyware applications attempt to change your hosts file to redirect your browser to a different Web site. If spyware added an entry like: 192.168.0.12 www.woodgrovebank.com to the hosts file (and 192.168.0.12 is not the correct IP address for Woodgrove Bank) and you type www.woodgrovebank.com in the address bar, you would be redirected to 192.168.0.12 and not to www.woodgrovebank.com.

You can also use a Security-Designed Hosts File to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers known to be pushed by specific web site addresses by listed the IP address in the Hosts file for blocking. You add address lines to your HOSTS file to block items like an adware server popping up an ad while browsing the internet. For example, 127.0.0.1 ad.doubleclick.net as an entry will direct your system to blocks all files supplied by that DoubleClick Adware Server to the web page you are viewing. This also prevents the server from tracking your movements using tracking cookies.

Most users do not do anything to their hosts file. But it can be used for these purposes:

1. Adding your favorite and often-used web site IP addresses and common names to this file, you speed up access when you browse. The lookup occurs on your local system and not on a DNS server out there somewhere.
2. Adding specific BAD web sites along with your “loop back” IP address will thwart any attempt to browse to those bad sites. This allows you to block bad sites. (IE-SPYAD is one utility that adds a list of known bad sites to your hosts file for you.)
3. Malicious spyware or Trojans may attack your hosts file and insert their own sites or alter and redirect your addresses to their fake sites. For info and protective measures, see the tip, below, How To Prevent Hijacked Hosts files.

You can open up your HOSTS file in any ascii editor or MS Word, but do not change the content until you understand what you are doing. You save it as a text file, and leave off any extension.  

Description of a PEST

The following criteria determine what is considered a PEST and what gets added to a Security-Designed HOSTS File for blocking of malware web site addresses:

           from: http://www.mvps.org/winhelp2002/criteria.htm

Distribution and Installation

• Installs without user permission, user interaction or an installation interface
• Bundles other known adware, spyware, or malicious software including potentially unwanted software
• Installs hidden plug-ins in the Web browser that do not have a user interface
• Is installed by an ActiveX control or Exploits a security vulnerability in any way
• Installs using deceptive or questionable methods or tactics
• Installs even if the user clicks No or cancels the installation
• Is installed by third-party affiliates
• Offers an affiliate program that pays a fee for distributing the software
• Is affiliated with malicious or questionable portals, search engines, or hacking sites

Behavioral Criteria

• Modifies the HOSTS file without full disclosure in an acceptable and enforceable EULA
• Modifies or replaces the HOSTS file without creating a valid backup
• Modifies registry setting related to the HOSTS file
• Changes common settings, such as the home page or search page, without user permission
• Changes any Web browser configuration which the user can not undo
• Uninstalls existing software without user consent
• Includes a process that cannot be manually terminated by the user
• Displays pop-up or pop-under windows outside of the application
• Displays pop-up or pop-under advertisements that cannot be closed by clicking a Close button
• Modifies Web site content, such as changing search results or substituting certain advertisements for other advertisements
• Displays pop-up advertisements when the Web browser is not running
• Displays pop-ups or 3rd party banners or images
• Automatically restarts itself if the user terminates its process
• Restores registry keys or file entries that are removed by the user
• Redirects or blocks searches, queries, user-entered URLs, and other sites without notification or user consent

Security Criteria

• Changes operating system security settings without user permission
• Changes software security settings, such as a Web browser security settings, without user permission
• Connects to the Internet without user permission
• Disables firewalls, antivirus software, or anti-spyware software
• Opens a port on the computer without user knowledge
• Silently reinstalls or updates components
• Adds a new dial-up connection or other network connection
• Initiates a connection to the Internet or initiates a dial-up connection with user interaction
• Prevents anti-spyware or antivirus software from removing the program
• Downloads and installs software without user permission
• Runs in a mode that hides processes from the user or system tools
• Provides remote administration or file transfer capabilities
• Monitors sensitive items without explicit notice and consent, such as keystrokes, emails, instant messages screenshots, or the history or open programs and documents
• Runs malicious or questionable scripts

Privacy Criteria

• Does not contain a privacy policy, or uses a 3rd party privacy policy
• Does not contain or display an acceptable and enforceable EULA (End User License Agreement)
• Installs a LSP (layered service provider) without full disclosure and explicit user permission
• Silently tracks sites visited without user permission, such as by IP address, GUID, email address, name or other identifier such as 3rd party hit counters, web beacons, and or 3rd party Cookies.
• Tracks Web browsing behavior and transmits this information to a remote server
• Tracks online activity and matches it to personally identifiable information without clear notice and consent, including but not limited to Web pages viewed or accessed, user selected content, keywords and search terms
• Tracks Web browsing behavior via 3rd party Cookies (aka: Data Miners)
• Collects personally identifiable information without express consent in statements other than the EULA or privacy policy

NOTE: Hosts is the name of the hosts file and is not another directory name. It does not have an extension (extensions are the .exe, .txt, .doc, etc. endings to filenames) and so appears to be another directory. But it is an asci text file. The HOSTS file is located here in these operating system versions:

Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC

Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC

Win 98/ME = C:\WINDOWS

Your Hosts file may have multiple entries after the comments section, and include lines like:

127.0.0.1 localhost

127.0.0.1 CookieCop

127.0.0.1 ad.doubleclick.net

There is no need to install, turn on, or change any settings. Windows automatically looks for the existence of a Hosts file and if found, checks the Hosts file first for entries to the web page you just requested. The 127.0.0.1 is the location of your computer, so when the entry "ad.doubleclick.net" is requested your computer thinks 127.0.0.1 is the location of the file. When this file is not located it skips onto the next file and thus the ad server is blocked from loading the banner, Cookie, or some unscrupulous JavaScript file.

In case you're wondering ... this all happens in microseconds, which is much faster than trying to fetch a file from half way around the world. Another great feature of the Hosts file is that it is a two-way file, meaning if some parasite does get into your system (usually bundled with other products) the culprit can not get out (call home) as long as the necessary entries exist, effectively blocking it. This is why it's important to keep your Hosts file up to Date with the addresses of known troublemakers. Your HOSTS file also needs protection from being altered without your permission. Using a login account that is limited, without Admin rights is one way. There are also software security programs you may install that protect HOSTS file changes. Windows Defender and Webroot Spysweeper do this.

Note: There is another type of file called LMHost which is for use with LAN's (local area networks) and does not concern us for use over the Internet.

Warning - Your HOSTS file may block access to a desired and safe web site: The Windows local Hosts file is used to speed up the access of a web site as well as to block the access of an undesirable web site address. It could have addresses incorrectly listed per your browsing requirements. It can be updated by some antispyware programs. Some spyware/malware programs such as CoolWebSearch can put entries into your hosts file without your knowledge. You type in some popular address such as www.google.com, and you are somehow redirected to a site with a jillion pop-up ads. Worse, a spyware program on your system could write an entry in the hosts file that could, say, redirect the URL for your bank to their own server. If their server displayed a page that looked like your bank, you would be completely fooled into submitting your login information to their site.

Tools to Shield and Edit your local Hosts file:

Sample Securely-Designed Hosts files

There are several Web sites that provide sample hosts files already populated to block well known bad web sites. Since they need to be kept constantly up to date the best course of action is to ensure that you update it frequently from the site where you obtained the file. One of the best such files available for free, regular download, is available at: http://www.mvps.org/winhelp2002/host.htm  

Webroot Spy Sweeper         see PC Magazine Online’s review Provides shield to protect changes to your Hosts file. Adds its own lists of web sites to your hosts file to silently block the bad ones or those that push lots of advertisements.

HOSTESS  - is a free program designed to help you easily maintain your Hosts file for the purpose of blocking servers rather than for its original purpose of quicker DNS lookups.  It stores the hostnames in an indexed database, eliminating duplicates and placing hosts into logical groups that can be ordered for efficiency.  Hostess has powerful import, export and search features.  It can even create a registry file for adding domains to the Internet Explorer Restricted Zone.  Download free HOSTESS program here.

The focus of the Hostess program is on blocking hosts for the purposes of avoiding the bandwidth-hogging download of advertising graphics.  The Hosts file can be used to block hosts by supplying an address of 127.0.0.1 whenever a request is made.  The IP address of 127.0.0.1 refers to the localhost; the same computer the request originated from.  Unless you are actually running a web server on this computer, any requests redirected to localhost will fail.  These failed requests mean that the advertising graphics don't get downloaded and your pages load much faster!  

Some people use the Hosts file to store the IP addresses of their favorite servers to reduce the time taken for the DNS lookup.  Due to the dynamic nature of IP addresses, the author of this program does not recommend such a use for the Hosts file.  Any time you may have saved by avoiding these DNS lookups will be lost ten times over the first time you try to determine why you can't get to your favorite site because the IP address has changed.

How To Prevent Hijacked Hosts files:

Your local HOSTS lookup file on your hard drive can contain web addresses you wish to be blocked from access….and it can contain contaminated addresses added without your knowledge or permission to redirect you from your desired web site to a fake web site in an attempt to advertise their information or to do you harm – steal your identity or financial information. Some spyware or other hacking tricks can overwrite or edit your Hosts file without your knowledge or permission – if you are logged in with administrator rights.

To block these attempts to misdirect you via changes to your Hosts file:

1. Use a Limited User Account (LUA) without Admin rights. There is no permission in your operating system to change the locally stored Hosts file without administrator access rights.

2. Lock your Hosts file from edits. Your system Hosts file is like a local directory of web server IP addresses linked to their commonly used domain names. If a malicious program can edit your Hosts file and misdirect your browser from a good site to a bad or fake site, bad things can happen. Prevent changes to your local system Hosts file by using a limited user account – which does not have administration permission to change system files like the Hosts file. SpywareBlaster, Windows Defender and Webroot Spy Sweeper also block changes to your Hosts file without your permission and alert you when changes are requested.  

3. One Solution to Misdirection Threat: Add the Netcraft Toolbar - A new, free browser plug-in from English Internet services firm Netcraft Ltd. - fights phishing attacks and helps users investigate sites they visit. It is available for Internet Explorer on Windows 2000/XP and the Mozilla Firefox browsers.

For Further Study on Hosts Files:

http://www.mvps.org/winhelp2002/hosts.htm - Excellent information and tools.