Thwart malware attacks by locking out bad sites

Scott dunn By Scott Dunn

Bolster your antivirus, firewall, and antispyware protection by customizing the IP address manager built into Windows.

Redirect ad servers and other undesirable addresses in Windows’ Hosts file and update your unwanted-address list automatically for free with the HostsMan utility.

Forward undesirable IP addresses to Nowheresville

No single security program is guaranteed to keep you safe. That’s why you need to take a multilayered approach to PC safety. A quick, simple, and free way to strengthen your defenses is by editing Windows’ built-in IP address book, a.k.a. the Hosts file.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



This system file converts domain names, such as “www.google.com,” into their corresponding IP addresses. In IPv4, the address is four sets of one-to-three numbers, with each set separated by a period. (For example, the last time I pinged www.google.com, the IP address was 74.14.253.99, though the service has oodles of addresses.)

The Hosts file performs a function similar to that of the DNS (Domain Name System) used by network servers. But unlike DNS, the Hosts file is under your control and overrides any mappings found in the DNS.

For example, when you enter a name such as WindowsSecrets.com in your browser’s address bar, the browser checks the Hosts file to see whether the domain name’s corresponding IP address is listed there. If the address isn’t in the file, the browser looks for it on a DNS server and then makes the connection.

By modifying the Hosts file yourself, you can prevent anyone using the PC without an administrator account from accessing unwanted sites. Prime candidates for blocking via this method are sites that host advertising, which can sometimes be a conduit for malware, as I explained in my Apr. 17 story.

To block a file served by the DoubleClick ad server, for example, you would add this line to your Hosts file:

127.0.0.1 ad.doubleclick.net

That’s because “127.0.0.1″ is the local machine’s IP address, so your browser looks in vain on your own computer for files that are supposed to come from DoubleClick.

This technique not only blocks ads from the redirected sites, but also cookies and any other content they attempt to send.

Automate your Hosts-file tweaking

Of course, manually editing the Hosts file to include the hundreds of ad servers and other undesirable sites on the Internet — not to mention keeping it up to date — would be a Herculean chore.

Fortunately, a number of sites maintain files listing dangerous addresses with this very purpose in mind, and they make updates available on a regular basis. The most popular of these sites is WinHelp 2002, which orignally focused on blocking ads and banners but has since expanded to guard against many Internet threats.

Other useful sources for prefab Hosts files are Mike’s Ad Blocking Hosts file, Dan Pollock’s Hosts file, and a Hosts file from Bluetack Internet Security Solutions.

Many of the services provide an installer or batch file that can be used to replace your existing Hosts file with their own. If no such installer is included, back up your existing Hosts file and copy the new file in its place. Your Hosts file is located here:

C:WindowsSystem32driversetc

Some writers, such as Thomas Hruska, argue that your PC’s performance may be hindered because site blocking in this manner forces your browser to look in vain for a site it cannot find. If you notice a performance hit when you try this technique, you may be better off using special ad-blocking software such as NoScript for Firefox, as mentioned in my Apr. 17 story.

On the other hand, the WinHelp 2002 site argues that “a well-designed Hosts file can speed the loading of Web pages by not having to wait for these ads, annoying banners, hit counters, etc. to load.”

Unfortunately, malware makers are also aware of the power of the Hosts file. Worms and Trojan horses are sometimes crafted to alter your Hosts file to block major antivirus and security sites. This prevents you from receiving the updates you need to stay protected from the dark side.

Other malware modifies the Hosts file so that when you try to visit your bank’s Web site, for example, you’re redirected to a phishing site mimicking the bank’s, where the crooks attempt to trick you into handing over account numbers and passwords.

Just as insidious, a malicious program could modify the Registry, which tells Windows where to look for the Hosts file. If that happens, you may be spending your time protecting the wrong copy of the file. The key is named DataBasePath and is located at:

HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Tcpip Parameters

As a result, you also need to make sure both the Registry and your Hosts file are protected.

Start by checking whether your current security software has tools for protecting the Hosts file and monitoring Registry changes. Both the $40 ZoneAlarm Pro firewall and the $50 ZoneAlarm Internet Security Suite from Check Point Software protect the Hosts file from changes and notify you of attempts to do so.

Among free security software, Spybot Search & Destroy has a feature for locking out changes to the Hosts file. The free version of WinPatrol warns you if changes are made to the Hosts file or critical system files and lets you keep the previous version.

You can also keep your Registry and Hosts file protected by logging in to a nonadministrator account in Windows. This prevents any changes to these and all other system files.

Finally, regularly overwriting your Hosts file via one of the third-party updates I mentioned above will delete any changes made by malware.

Keep your Hosts file up to date

You’ll need an easy way to keep your custom Hosts file current. A number of free utilities will automatically download and install updated copies of third-party Hosts files. I tested several tools designed to manage your Hosts file, and my favorite is HostsMan, which includes a button for quickly disabling and enabling your Hosts file. This is useful if your browser is having difficulty contacting a site you’re sure you want to view.

HostsMan’s true talent is in keeping the Hosts file updated. While most Hosts-file fresheners tie you to a specific third-party file or site, HostsMan installs any or all of four popular third-party Hosts files. If none of those files suits you, HostsMan lets you edit the update list to add the URL of your favorite Hosts source.

HostMan's main window Figure 1. HostsMan’s main window includes buttons for toggling, updating, or opening the Hosts file.
__________

The program’s update option (which can be invoked manually at any time) can either merge or overwrite your Hosts file with the updates you’ve chosen. I recommend the overwrite option, in case your file has been compromised by malware. When you install updates from multiple sources, HostsMan deletes duplicate entries automatically.

If your updates add Web sites you’d rather not block, just place those sites’ URLs in HostsMan’s exclusions list to keep them out of your Hosts file permanently.

HostsMan was also the only utility I tested that checked the Registry to find the Hosts file used by Windows. Other applications just keep working with the Hosts file in the default location, even if that location was rendered useless by a changed Registry key.

Unfortunately, HostsMan updates itself to the new Hosts location only when the program starts. If you leave HostsMan (and your computer) running all the time, you may need to restart the program if you think malware has compromised your Registry’s Hosts setting.

If you keep HostsMan running in your system tray, the program automatically updates your Hosts file in the background. The current version gives you no control over these updates, though; automatic updating occurs every 12 hours, whether you want to update or not.

The other Hosts-file updaters I tried were Hosts File Updater, HOSTS Secure, B.I.S.S. Hosts Manager from Bluetack Internet Security Solutions, HostsXpert from Funkytoad, and hpHosts. All five offer tools for editing, managing, and updating your list of URLs to avoid, although they lack HostsMan’s automaticity and other useful features.

Ad-blocking Hosts files aren’t the be-all and end-all of your malware woes. You still need a full arsenal of antivirus, antispyware, firewall, Flash blocking, and other security tools to keep your computer and your data safe.

Still, an additional layer of free protection is difficult to pass up. And when you have a tool like HostsMan to do the updating work for you, that’s more icing on the security cake.

Reader Ken Harthun will receive a gift certificate for a book, CD, or DVD of his choice for suggesting this topic. Send us your tips via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.