This past Tuesday, antivirus vendor BitDefender issued an alert warning of Trojan.QHost.WU, yet another Trojan that modifies the local HOSTS file to redirect web requests to unanticipated sites. At ScanSafe, we process over 7 billion web requests a month, yet we've seen only a single instance of a malicious redirect resulting from QHost.WU (today, on December 20th).

Interestingly, the maliciously redirected IP address is hosted in The Netherlands. According to our OI data, the Netherlands is one of the top 5 countries hosting malicious web sites worldwide. A large number of the Netherlands' malware hosting sites are affiliated with rogue antispyware scanners.

Generally it is the antivirus vendor sites that are targeted by malicious redirects via the HOSTS file. Malware authors use this technique to prevent access to antivirus updates and information.

What is the HOSTS file?
The Internet DNS system provides a transparent means of resolving domain names to IP addresses. In some cases, however, a user may wish to override the DNS and establish fixed resolution locally. To do so, they simply modify their local HOSTS file - the first place Windows checks when attempting to resolve a domain name.

The HOSTS file contains a list of domain names correlated to their corresponding IP address. The default entry establishes the IP of the local loopback address as follows:

127.0.0.1       localhost

The location of the HOSTS file is dependent on the operating system:

Windows Vista/XP/NT - %windir%\system\drivers\etc
Windows 9x - %windir%

You can view the content of the HOSTS file by using Notepad or any other text editor.

Setting the attribute for the HOSTS file to read-only can help ward off unintended or malicious modifications. Note that some malware could change this attribute, write the changes, then reset to read-only. It's a good idea to periodically check the contents of your local HOSTS file, even if you've locked it down by setting it to read-only access.