Doug Vitale Tech Blog

How to block malware with the hosts file

On the Microsoft Most Valuable Players (MVPs) website you can download a custom hosts file to prevent unwanted connections to thousands of websites that distribute malware in its many forms – adware, spyware, etc. How does this work? First let’s review the hosts file and what it does.

The hosts file exists in both Windows and Linux/Unix. It is a simple text file that maps IP addresses to host names, thus bypassing the functionality of name resolution courtesy of DNS servers. The hosts file is simply named ‘hosts’ with no file extension such as .txt. In Linux and Unix, hosts can be found in /etc/hosts. In modern Windows operating systems it is located in %SystemRoot%\system32\drivers\etc\hosts (%SystemRoot% is usually C:\).

The default hosts in Windows 7 looks like this:

# Copyright (c) 1993-2009 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
#          # source server
#              # x client host

# localhost name resolution is handled within DNS itself.
#       localhost
#    ::1             localhost

As you can see, the two bottom lines linking the localhost name with the loopback address in IPv4 and with ::1 in IPv6 are commented out by default. In previous versions of Windows these lines were not commented out. The DNS resolver in Windows 7 apparently handles the localhost/ translation.

Obviously, the hosts file’s ability to bypass DNS and redirect web browsers to the wrong websites makes it a juicy target for malware. Imagine if you could redirect all requests for ‘’ to the IP address of some shady website such as ‘’ which would unleash a flood of trojans and malicious mobile code? As a result, access to the hosts file in Windows Vista and 7 is heavily restricted. You cannot simply right-click hosts and choose ‘Edit’ anymore. Additionally Windows 7 seems to ignore some hosts line entries, unlike previous versions of Windows. This new functionality is discussed here and elsewhere (Google search) on the Web.

However, the custom MVPS hosts file still seems to work on Windows 7. After installing it into C:\Windows\System32\drivers\etc, pings to several of the sites listed in the MVPS hosts file resulted in replies from instead of the sites’ public IP addresses. Attempts to browse to the sites resulted in ‘Unable to connect’ messages in Firefox.

The process for installing the MVPS hosts file on Windows 7 is described here. You simply download and extract the MVPS file to any folder. Then you right-click the hosts.bat file and choose ‘Run as administrator’.

You can view the MVPS hosts file’s frequently asked questions here, and the file’s maintainers run a blog here.

If you want to revert back to the original Windows hosts file, Microsoft offers a Fix-It utility for that.

I will update this post with any difficulties or errors I encounter while browsing the Web that are the result of the MVPS hosts file.

Recommended Reading

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!

Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code on Amazon Malware Analyst’s Cookbook  Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software on Amazon Practical Malware Analysis

Malware Forensics: Investigating and Analyzing Malicious Code on Amazon Malware Forensics  Malware: Fighting Malicious Code on Amazon Malware: Fighting Malicious Code

Malware, Rootkits and Botnets Beginner's Guide on Amazon Malware, Rootkits & Botnets


Written by Doug Vitale

December 2, 2011 at 1:27 PM

%d bloggers like this: