Rewrite and Redirect

27 February 2013 by

Most rewrite and redirect attacks are directed against the HOSTS file(s) on infected machines. The HOSTS file is used by an operating system (not just Windows) to point to nodes on a computer network.

Most rewrite and redirect attacks are directed against the HOSTS file(s) on infected machines. The HOSTS file is used by an operating system (not just Windows) to point to nodes on a computer network; including telling the OS how to point to various websites. Normally today it simply points to localhost (the local machine) but it can be used to force any calls to any URL to go to specific IP addresses no matter what the Internet’s DNS says the real IP address for that site is. A typical HOSTS file will have one entry that looks like this…

  • 127.0.0.1 localhost

…but it could be easily edited to look more like this…

  • 102.54.94.97 www.mybank.com
  • 38.25.63.10 www.myotherbank.com

…where the IP addresses (made up here — apologies if these point to someone as they did not when the text was entered) point to fake banking sites designed to look like the real site but exist only to collect banking information from you when you attempt to log into your account. These fake sites can be quite persuasive but usually give themselves away when they ask for information from you that the bank should already have on file.

You might reasonably ask why such a file even exists when the correct IP address can be quickly obtained from the official DNS servers. The answer lies in history and backward compatibility. There was no domain name system (DNS) when ARPANET (older generation of today’s Internet) was developed. Each computer in the network had to know which nodes it could talk to and these were recorded in the HOSTS file. This sort of system actually lasted for some time and, because of that, still exists as a step toward being backward compatible. And, the HOSTS file can still potentially be useful for various tasks.

An example of one use for the HOSTS file would be in blocking various ad-serving sites. By editing the file and assigning the URL of the ad-serving site to the localhost address of 127.0.0.1 then any browser requests to the ad-serving site would end up back at your computer and no ads would appear as most people generally don’t have a server running on their computers. If malware-serving domains are also known, these can also be entered into the HOSTS file and assigned to 127.0.0.1 in order to avoid even being able to go there on a given computer. This is not particularly secure however as the HOSTS file is easily modified using any text editor and malware-serving sites pop up and go away in the proverbial blink of an eye.

Some examples of viruses that have used this attack would include the Trojan DeludeWeb Link and the virus Mydoom.BWeb Link.

More Information

Up Arrow What Malware Does Up Arrow
Prior Page Next Page
Denial of Service Virus History Summary
Filed Under: VTutor