Protecting the HOSTS File

01
of 07

What is the HOSTS file?

Spyware
Photo © T. Wilcox

The HOSTS file is the virtual equivalent of the phone company's directory assistance. Where directory assistance matches a person's name to a phone number, the HOSTS file maps domain names to IP addresses. Entries in the HOSTS file override DNS entries maintained by the ISP. By default 'localhost' (i.e. the local computer) is mapped to 127.0.0.1, known as the loopback address. Any other entries pointing to this 127.0.0.1 loopback address will result in a 'page not found' error. Conversely, entries can cause a domain address to be redirected to a completely different site, by pointing to an IP address that belongs to a different domain. For example, if an entry for google.com pointed to an IP address belonging to yahoo.com, any attempt to access www.google.com would result in a redirect to www.yahoo.com.

Malware authors are increasingly using the HOSTS file to block access to antivirus and security websites. Adware may also impact the HOSTS file, redirecting access to gain affiliate page view credit or to point to a booby-trapped website that downloads further hostile code.

Fortunately, there are steps you can take to prevent unwanted modifications to the HOSTS file. Spybot Search & Destroy includes several free utilities that will not only block changes to the HOSTS file, but can protect the Registry from unauthorized changes, enumerate startup items for quick analysis, and block known bad or alert on unknown ActiveX controls.

02
of 07

Spybot Search and Destroy: Advanced Mode

Spybot Advanced Mode
Spybot Advanced Mode.

If you do not already have a copy of Spybot Search and Destroy, this free (for personal use) spyware scanner can be downloaded from http://www.safer-networking.org. After downloading and installing Spybot, continue with the steps below.

  1. Open Spybot Search & Destroy
  2. Click Mode
  3. Click Advanced Mode. Note that you will receive an alert warning that the advanced mode of Spybot contains more options, some of which can do harm if used improperly. IF YOU DO NOT FEEL COMFORTABLE, DO NOT CONTINUE WITH THIS TUTORIAL. Otherwise, click Yes to continue on to Advanced Mode.

03
of 07

Spybot Search and Destroy: Tools

Spybot Tools menu
Spybot Tools menu.

Now that Advanced Mode has been enabled, look on the bottom left side of the Spybot interface and you should see three new options: Settings, Tools, Info & License. If you do not see these three options listed, go back to the previous step and re-enable Advanced Mode.

  1. Click the 'Tools' option
  2. A screen similar to the following should appear:

04
of 07

Spybot Search and Destroy: HOSTS file viewer

Spybot HOSTS file viewer
Spybot HOSTS file viewer.

Spybot Search & Destroy makes it simple for even the most novice user to guard against unauthorized HOSTS file changes. However, if the HOSTS file has already been tampered with, this lockdown could prevent other protection from reversing the unwanted entries. Thus, before locking down the HOSTS file, first make sure there are no unintended entries currently present. To do so:

  1. Locate the HOSTS file icon in the Spybot Tools window.
  2. Select the HOSTS file icon by clicking it once.
  3. A screen similar to the one below should appear.
  4. Note that the localhost entry pointing to 127.0.0.1 is legitimate. If there are any other entries shown that you do not recognize or did not authorize, you will need to correct the HOSTS file before continuing with this tutorial.
  5. Assuming no suspicious entries were found, proceed to the next step in this tutorial.

05
of 07

Spybot Search and Destroy: IE Tweaks

Spybot IE Tweaks
Spybot IE Tweaks.

Now that you've determined the HOSTS file contains only authorized entries, it's time to let Spybot lock it down to prevent any unwanted changes.

  1. Select the IE Tweaks option
  2. In the resulting window (see sample screenshot below), select 'Lock Hosts file read-only as protection against hijackers'.

That's it as far as locking the HOSTS file goes. However, Spybot can also provide some valuable prevention with just a few more tweaks. Be sure to check out the next two steps for using Spybot to lockdown the system Registry and manage your startup items.

06
of 07

Spybot Search and Destroy: TeaTimer and SDHelper

Spybot TeaTimer & SDHelper
Spybot TeaTimer & SDHelper.

Spybot's TeaTimer and SDHelper tools can be used alongside existing antivirus and antispyware solutions.

  1. From the left side of the Advanced Mode | Tools window, select 'Resident'
  2. Under 'Resident Protection Status' select both options:
    • 'Resident "SDHelper" [Internet Explorer bad download blocker] active'
    • 'Resident "TeaTimer" [Protection of overall system settings] active"
  3. Spybot will now guard against unauthorized modifications to pertinent Registry and startup vectors, as well as prevent unknown ActiveX controls from being installed. Spybot Search & Destroy will prompt for user input (i.e. Allow/Disallow) when unknown modifications are attempted.

07
of 07

Spybot Search and Destroy: System Startup

Spybot System Startup
Spybot System Startup.

Spybot Search and Destroy can allow you to easily see what items are loading when Windows is started.

  1. From the left side of the Advanced Mode | Tools window, select 'System Startup'
  2. You should now see a screen similar to the sample shown below, that lists startup items specific to your PC.
  3. To prevent unwanted items from loading, remove the checkmark next to the corresponding entry in Spybot's list. Use caution and only remove those items you are certain are not necessary for the normal operation of the PC and desired programs.