How to block malware with the hosts file
On the Microsoft Most Valuable Players (MVPs) website you can download a custom hosts file to prevent unwanted connections to thousands of websites that distribute malware in its many forms – adware, spyware, etc. How does this work? First let’s review the hosts file and what it does.
The hosts file exists in both Windows and Linux/Unix. It is a simple text file that maps IP addresses to host names, thus bypassing the functionality of name resolution courtesy of DNS servers. The hosts file is simply named ‘hosts’ with no file extension such as .txt. In Linux and Unix, hosts can be found in
/etc/hosts. In modern Windows operating systems it is located in
%SystemRoot% is usually
The default hosts in Windows 7 looks like this:
# Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 18.104.22.168 rhino.acme.com # source server # 22.214.171.124 x.acme.com # x client host # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost .
As you can see, the two bottom lines linking the localhost name with the loopback address 127.0.0.1 in IPv4 and with ::1 in IPv6 are commented out by default. In previous versions of Windows these lines were not commented out. The DNS resolver in Windows 7 apparently handles the localhost/127.0.0.1 translation.
Obviously, the hosts file’s ability to bypass DNS and redirect web browsers to the wrong websites makes it a juicy target for malware. Imagine if you could redirect all requests for ‘www.google.com’ to the IP address of some shady website such as ‘www.software4u.ru’ which would unleash a flood of trojans and malicious mobile code? As a result, access to the hosts file in Windows Vista and 7 is heavily restricted. You cannot simply right-click hosts and choose ‘Edit’ anymore. Additionally Windows 7 seems to ignore some hosts line entries, unlike previous versions of Windows. This new functionality is discussed here and elsewhere (Google search) on the Web.
However, the custom MVPS hosts file still seems to work on Windows 7. After installing it into
C:\Windows\System32\drivers\etc, pings to several of the sites listed in the MVPS hosts file resulted in replies from 127.0.0.1 instead of the sites’ public IP addresses. Attempts to browse to the sites resulted in ‘Unable to connect’ messages in Firefox.
The process for installing the MVPS hosts file on Windows 7 is described here. You simply download and extract the MVPS hosts.zip file to any folder. Then you right-click the hosts.bat file and choose ‘Run as administrator’.
If you want to revert back to the original Windows hosts file, Microsoft offers a Fix-It utility for that.
I will update this post with any difficulties or errors I encounter while browsing the Web that are the result of the MVPS hosts file.
If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!