GRC | Security Now! Notes for Episode #45

Resource links for Security Now! Episode #45:

The 'Hosts' File

In Windows systems, the Hosts file — simply called "hosts" with no file extension — can generally be found in the directory:

c:\Windows\system32\drivers\etc

Note that in this directory path, "c:\Windows" is the system's Windows installation directory, which is usually on the "C" drive and located in "\Windows" or "\WINNT" . . . but the directory could be named something else.

The directory where Windows looks for the Hosts file can be changed as a means for throwing malware off the track. The directory where Windows looks for the Hosts file is contained in this Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Services\Tcpip\Parameters\DataBasePath

Although it's possible for sufficiently smart malware to lookup the directory itself, most programs assume that it hasn't been moved. So you could leave a decoy in the default location but keep your system's actual active Hosts file elsewhere.

During my discussion with Leo I mentioned my own Hosts file. Here's its current contents:

127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1
127.0.0.1

localhost
valueclick.com
linkexchange.com
doubleclick.net
avenuea.com
adbureau.net
cookies.cmpnet.com
focalink.com
mediaplex.com
fastclick.net
pud.cpulse.com
flycast.com
www.unbeatabledeals.com
ads.clickagents.com
target.net
ads.amazingmedia.com
www.commission-junction.com
bfast.com
ad.linksynergy.com
hitbox.com
stats.webtrendslive.com
media.fastclick.net
fastclick.net

You'll notice that the first line in the file is the common "localhost" reference, telling my system that the self-referencing IP of 127.0.0.1 can also be referred to with the simple machine name of "localhost".

The other domains and machine names in the file are places I don't want my web browser or other software inside my machine venturing for any reason. Many of these names may look familiar, and you would probably find web browser third-party tracking cookies bearing these domain names if you were to look into most PCs.

Preventing Windows and your web browser from going where you'd rather not have them go is a cool enough trick, and so easy to do with no software to install, that many people have invested a lot of time, effort and resources into creating and maintaining comprehensive Hosts files. Just take a browser through THIS typical "full feature" Internet site blocking Hosts file:

https://www.grc.com/sn/hosts_mvps_org.txt

As you can see, that file is being served from the GRC server, but it is not being actively maintained. So if you are interested in beefing up your system with a similarly comprehensive Hosts file, I hope you'll check out the MVPS.ORG site where you can find the latest version of that file and a lot of other great information and resources about Windows Hosts files:

http://www.mvps.org/winhelp2002/hosts.htm

Wikipedia:
As Leo mentioned during the episode, Wikipedia has its typically great treatment of the Hosts file. Be sure to check it out.

http://en.wikipedia.org/wiki/Hosts_file

And, finally, a simple Google search for "hosts file" returns a current "best of the web" collection of useful links:

http://www.google.com/search?q=hosts+file