Felburg Posted April 13, 2010 ID:231943 Share Posted April 13, 2010 I would like to see a tool within Malwarebytes that will cleanup and/or repair a hacked/hijacked hosts file. Link to post Share on other sites More sharing options...
Staff TeMerc Posted April 13, 2010 Staff ID:231992 Share Posted April 13, 2010 Hi.This is something we've looked into, but not sure if or when we'll get it added to the application. Maybe one of the developers can offer more clarity. Link to post Share on other sites More sharing options...
Firefox Posted April 13, 2010 ID:232153 Share Posted April 13, 2010 Good suggestion, but will it be able to identify changes I did to my host file without it thinking it was a hijack? Link to post Share on other sites More sharing options...
Staff TeMerc Posted April 13, 2010 Staff ID:232298 Share Posted April 13, 2010 Good suggestion, but will it be able to identify changes I did to my host file without it thinking it was a hijack?Far too soon in planning to even address as yet. I'm not even sure development has commenced or not. Link to post Share on other sites More sharing options...
exile360 Posted April 14, 2010 ID:232313 Share Posted April 14, 2010 In my opinion if a HOSTS file has been hijacked by malware it should just be reset to default, which can be done by replacing it (Microsoft also has an automated "Fix-it" tool to do this), even if it's a custom ad/malware blocking HOSTS file because MBAM or any other scanner might miss some malicious entries in a large HOSTS file or might misinterpret some of the legit entries as malicious. Link to post Share on other sites More sharing options...
Marcus Posted April 14, 2010 ID:232327 Share Posted April 14, 2010 i normally keep a couple of copies of the default Hosts file for my system in separate places just for that purpose. There are only two entries for Vista which kinda makes it easy to see what's there! No place for bad redirects to hide in amongst that lot of white space! Link to post Share on other sites More sharing options...
Ibrad Posted April 14, 2010 ID:232674 Share Posted April 14, 2010 Good suggestion, but will it be able to identify changes I did to my host file without it thinking it was a hijack?A few other company's have it made where it only detects malicious changes so it's possible. Link to post Share on other sites More sharing options...
Felburg Posted April 14, 2010 Author ID:232678 Share Posted April 14, 2010 That's what I am thinking as well. I just want to see a simple one click option within MBAM to reset the hosts file back to default. Also, I think it would be good if MBAM scanned the hosts file during a full scan to check for inconsistencies. Most people don't even think to check their hosts file after cleaning up an infection of malware.In my opinion if a HOSTS file has been hijacked by malware it should just be reset to default, which can be done by replacing it (Microsoft also has an automated "Fix-it" tool to do this), even if it's a custom ad/malware blocking HOSTS file because MBAM or any other scanner might miss some malicious entries in a large HOSTS file or might misinterpret some of the legit entries as malicious. Link to post Share on other sites More sharing options...
YoKenny1 Posted April 14, 2010 ID:232714 Share Posted April 14, 2010 I do not want MBAM tinkering with my HOSTS file as I manage it myself and know if it has been tinkered with as WinPatrol on my XP Pro system warns me it has been changed. B) If MBAM were to scan my HOSTS file for inconsistencies it would take a very long time. There are several reputable sources for HOSTS file updates so how would MBAM know what sources I use for the HOSTS file and if they are reputable or not? Link to post Share on other sites More sharing options...
DarkSnakeKobra Posted April 14, 2010 ID:232794 Share Posted April 14, 2010 There are several reputable sources for HOSTS file updates so how would MBAM know what sources I use for the HOSTS file and if they are reputable or not? The only thing I can think of is checking against the IP Blocker. Link to post Share on other sites More sharing options...
Ibrad Posted April 14, 2010 ID:232799 Share Posted April 14, 2010 There are several reputable sources for HOSTS file updates so how would MBAM know what sources I use for the HOSTS file and if they are reputable or not? Using heuristics, why would malware change your host file to 1mb+ size it would only normally make few changes. If MBAM dev's were to figure out how many sites malware try's to block via host files then figures out how big those changes are they could write a malware pattern file to detect if malware changed the host file. Well that's how I would do it Well most malware I have seen have only make 10-30 changes to your host file. Link to post Share on other sites More sharing options...
DarkSnakeKobra Posted April 14, 2010 ID:232803 Share Posted April 14, 2010 @Ibrad-Not a bad idea. However, malware writers are unpredictable and that could vary on multiple occasions. Making a pattern would prove to be a major challenge. I'm not sure if that would be an effective way to do so. Link to post Share on other sites More sharing options...
Ibrad Posted April 14, 2010 ID:232812 Share Posted April 14, 2010 True, it may solve the problem for a while but won't solve it in the long run. Link to post Share on other sites More sharing options...
mountaintree16 Posted April 14, 2010 ID:232944 Share Posted April 14, 2010 Personally, I would not like Mbam to detect my HOSTS file alteration just because I alter it myself with a HOSTS file manager. Also Kaspersky gives me several pop ups each day alerting me to the fact that my HOSTS file is changed. I appreciate it, and it is useful for the average user who may have no clue, but, I find it annoying. Only reason I find it annoying though is because I made the changes and I want it that way. At least I don't have it auto-fix it anymore hehe.That being said, it could be useful for those whose HOSTS file have been altered by malware to block them from updating their AV & AM software and prevents them from going to AV and security websites. Link to post Share on other sites More sharing options...
YoKenny1 Posted April 14, 2010 ID:232948 Share Posted April 14, 2010 The only thing I can think of is checking against the IP Blocker.Where do you think the IPs come from?Maybe a clue will help that comes from the source of many of the IP blocks? @ Ibrad The key is to monitor when the HOSTS file changes and prevent un-authorised changes and on XP WinPatrol is good:http://www.winpatrol.com/options.html Link to post Share on other sites More sharing options...
DarkSnakeKobra Posted April 15, 2010 ID:232964 Share Posted April 15, 2010 @YoKenny1-I wasn't thinking straight on that. How about this. MBAM should have a list of known safe addresses, then check the hosts file to see if they are blocked/redirected to different/malicious sites. Then have mbam create backups or fix/restore the correct addresses. Link to post Share on other sites More sharing options...
exile360 Posted April 15, 2010 ID:232974 Share Posted April 15, 2010 MBAM should have a list of known safe addresses, then check the hosts file to see if they are blocked/redirected to different/malicious sites.Many AV's (Kaspersky and Norton come to mind as examples I'm certain of) already do this. Parsing a large HOSTS file (for example, one where a tool like HostsMan has been used to add entries, or Spybot, Spy Sweeper etc) would require a lot of CPU to check all those entries and dramatically increase scan times.As for how malware does it, I haven't seen any HOSTS file hijacks in at least a couple of years, most infections that block downloads/sites are doing so through other means, such as DNS hijacks which completely bypass the HOSTS file (MBAM already detects these by the way ). Link to post Share on other sites More sharing options...
DarkSnakeKobra Posted April 15, 2010 ID:232978 Share Posted April 15, 2010 As for how malware does it, I haven't seen any HOSTS file hijacks in at least a couple of years, most infections that block downloads/sites are doing so through other means, such as DNS hijacks which completely bypass the HOSTS file (MBAM already detects these by the way )@exile360-Well that's good. I use OpenDNS now for extra protection. Seems to block ad's. Link to post Share on other sites More sharing options...
exile360 Posted April 15, 2010 ID:232984 Share Posted April 15, 2010 DNS hijacks can often be shown in HijackThis logs (and other tools). In HijackThis they show up as 017 entries (keep in mind that just because such an entry exists, it does not mean that it's malicious). More info can be found here. Link to post Share on other sites More sharing options...
DarkSnakeKobra Posted April 15, 2010 ID:232989 Share Posted April 15, 2010 DNS hijacks can often be shown in HijackThis logs (and other tools). In HijackThis they show up as 017 entries (keep in mind that just because such an entry exists, it does not mean that it's malicious). More info can be found here.Yep, I know. Definitely gotta know that for my training at geekstogo. Link to post Share on other sites More sharing options...
exile360 Posted April 15, 2010 ID:233083 Share Posted April 15, 2010 I figured you knew that, I was primarily posting it for others who might be reading this thread so they could get a basic understanding of what we were referring to . Link to post Share on other sites More sharing options...
DarkSnakeKobra Posted April 15, 2010 ID:233236 Share Posted April 15, 2010 I figured you knew that, I was primarily posting it for others who might be reading this thread so they could get a basic understanding of what we were referring to .Gotch ya. Link to post Share on other sites More sharing options...
Felburg Posted April 15, 2010 Author ID:233328 Share Posted April 15, 2010 If at very least, there should be an option under the "More Tools" tab to reset the hosts file back to default.I am only thinking about the users that don't know anything about the hosts file. Link to post Share on other sites More sharing options...
DarkSnakeKobra Posted April 15, 2010 ID:233337 Share Posted April 15, 2010 If at very least, there should be an option under the "More Tools" tab to reset the hosts file back to default.I am only thinking about the users that don't know anything about the hosts file.I'm not sure that's really necessary. Many people here use SpywareBlaster which creates backups of the host file. If used correctly, it can restore the original file. Link to post Share on other sites More sharing options...
Felburg Posted April 15, 2010 Author ID:233432 Share Posted April 15, 2010 What does Spywareblaster do that MBAM won't do?I'm thinking in the way to ensure everything is clean and the way it should be.I'm not sure that's really necessary. Many people here use SpywareBlaster which creates backups of the host file. If used correctly, it can restore the original file. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now