With the recent release of Windows 7 in October 2009, it is imperative for security professionals to continue to understand and be aware of areas that could impact the security of a computer system. In this article we will look at the hosts file and how it appears/used in Windows 7.
What is a "hosts" file?
Before we get too far, we need to make sure we are all on the same page. What is a "hosts" file? A "hosts" file in Windows 7, or other versions of the Windows operating system, like Windows 2000, XP, and Vista, is simply a text file containing IP (Internet Protocol) address to host name mappings. Your computer checks this file first to resolve any network names to its corresponding IP address before it tries to check the Internet.
To get a better understanding of it and its relation to computer security, we'll cover the following areas:
- hosts file location and content
- how to use it
- typical malicious use
Hosts file location and content
The "hosts" file is typically located at c:\windows\system32\drivers\etc. The file name is "hosts". Notice that it has no file extension.
In Windows 7, the location hasn't changed. The file contains some comments (lines preceded by the "#" character) explaining what the file is and how entries should be formatted, and a couple of mappings for the localhost as follows:
- 127.0.0.1 localhost
- ::1 localhost
The IP address 127.0.0.1 is the IP version 4 address for the name "localhost".
The IP address ::1 is the IP version 6 address for the same name--"localhost".
How to use the "hosts" file
Most computer users don't have to deal with the "hosts" file, but if you have a lot of computers in your home network, and you set them up to use particular IP addresses, then using their IP addresses to access them can get tiring. Through the hosts file, you can assign names to the IP addresses of your computers.
By editing the "hosts" file, you can simply add one line per IP address-name mapping--making sure the first character of the IP address starts at the very first position of the line and the IP address is followed by at least one space before the hostname specification. Comments can be added to each mapping by following the hostname specification with at least one space, the "#" character, and the comment. For example: 192.168.0.10 mywebserver #this is my webserver.
Typical Malicious Use
Since the "hosts" file is the first place the computer checks for hostname to IP address mapping, it just makes sense that malware would hack it to wreck havoc on a user's ability to navigate the Internet.
For example, some malicious code could change the hosts file so that one could end up going to a spoofed site that would allow malicious hackers to steal personal or financial data. This could happen and users would not know any better. Banks and PayPal web sites are often spoofed.
Another example is if the hosts file was used to keep one from reaching legitimate web sites. This is relatively easy. For instance, one could be blocked from going to ebay.com if an IP address to hostname mapping like "127.0.0.1 ebay.com" was added to the hosts file.
There are probably many other ways the hosts file can be maliciously used. However, here's the good news for Windows 7 users: changes can easily be done through various means on Windows XP, but in Windows 7 (and in Vista), one needs to get elevated administrative rights to make changes to the hosts file.
In Windows 7, the location of the hosts file hasn't changed. The hosts file is where the computer checks first to find name to IP address mappings. You can use the hosts file to make it easy for you to identify your home computers with names instead of IP addresses. Lastly, the hosts file is often targeted by hackers to wreck havoc on your computer and to steal your personal and financial data.