Microsoft's security software modifies HOSTS file
Contributed by: Email on 08/21/2012 02:14 PM
[
Comments
]
Windows 8, set for release on 26 October, automatically deletes entries in the HOSTS file for specific domains. Try, for example, to prevent attempts to access Facebook.com, Twitter.com or ad servers such as ad.doubleclick.net by rerouting them to 127.0.0.1 by adding entries to the HOSTS file and the relevant entries will soon disappear from the HOSTS file as if by magic, leaving nothing but an empty line. The effect does not occur for other domains, however.
The agent behind this phenomenon turns out to be the Windows Defender security program, which is preinstalled and enabled by default on new installations of Windows. The cause quickly becomes clear on inspecting Defender's history, accessed from the start menu by entering "Defender" and clicking on the history tab. Defender is convinced it's uncovered a potentially malicious modification of the HOSTS file and thus records 'SettingsModifier:Win32/PossibleHostsFileHijack'. Microsoft Security Essentials (MSE) in older versions of Windows also takes care to reset entries for these domains. This is not particularly surprising, since Windows Defender in Windows 8 is essentially just a rebranded version of MSE.
Malware will in fact often create such erroneous entries in the HOSTS file in order to divert users to alternative servers when they attempt to access sites such as Facebook.com. These servers may play host to phishing sites that send user data entered on them to internet fraudsters. The removal of entries for ad servers, which many users utilise as a simple but effective ad blocker, may be down to the fact that malware also makes use of the HOSTS file to divert queries from legitimate advertising servers to their own servers. This enables fraudsters to display their own malicious ads on third-party web sites.
Users who resent being wrapped in cotton-wool like this and wish to continue to use the HOSTS file for the affected domains can add their HOSTS file (c:\windows\system32\drivers\etc\hosts) to MSE's or Windows Defender's exceptions list. The relevant setting can be found under "Settings, Excluded files and locations". Of course this also means that the anti-virus program will no longer detect any malicious modifications to the HOSTS file.
The agent behind this phenomenon turns out to be the Windows Defender security program, which is preinstalled and enabled by default on new installations of Windows. The cause quickly becomes clear on inspecting Defender's history, accessed from the start menu by entering "Defender" and clicking on the history tab. Defender is convinced it's uncovered a potentially malicious modification of the HOSTS file and thus records 'SettingsModifier:Win32/PossibleHostsFileHijack'. Microsoft Security Essentials (MSE) in older versions of Windows also takes care to reset entries for these domains. This is not particularly surprising, since Windows Defender in Windows 8 is essentially just a rebranded version of MSE.
Malware will in fact often create such erroneous entries in the HOSTS file in order to divert users to alternative servers when they attempt to access sites such as Facebook.com. These servers may play host to phishing sites that send user data entered on them to internet fraudsters. The removal of entries for ad servers, which many users utilise as a simple but effective ad blocker, may be down to the fact that malware also makes use of the HOSTS file to divert queries from legitimate advertising servers to their own servers. This enables fraudsters to display their own malicious ads on third-party web sites.
Users who resent being wrapped in cotton-wool like this and wish to continue to use the HOSTS file for the affected domains can add their HOSTS file (c:\windows\system32\drivers\etc\hosts) to MSE's or Windows Defender's exceptions list. The relevant setting can be found under "Settings, Excluded files and locations". Of course this also means that the anti-virus program will no longer detect any malicious modifications to the HOSTS file.
Comments
