Stealth Attack Types: Host File Redirection

Host file redirection is a stealth attack technique that rightfully falls into the ‘simple genius’ category.

Most computer users today are unaware of a Windows DNS-related file named Hosts. (You can find it on your own machine here: C:\Windows\System32\Drivers\Etc ) The ‘Hosts’ file acts somewhat like a local DNS server in that it contains a number of domain names and their corresponding addresses. It was originally created to reduce the number of times the PC had to go online to a DNS server to resolve domain name to IP address lookups.

A domain name to IP address resolution looks something like this: www.amazon.com is 75.101.157.145 The 11 digit number is the unique numerical address that web servers go to when they get requests for Amazon. That DNS address is not a real amazon.com DNS address.

Think a bit like a hacker and you can see where this is going.

The hacker gains entry to the target’s machine via some sort of social engineering ploy and installs malware. The relatively simple malware writes to the ‘Hosts’ file giving IP addresses that would take the user to a fake copy of the desired site. Instead of going to the real www.bankofamerica.com website the rewritten host file takes you to a DNS address that displays a fake Bank of America website. Once there, you enter your login and password information, giving it to the hacker. Within seconds an automated process then logs into your real bank account, drains it and wires it to accounts in Russia or China.

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on print
Share on email