A lot of users probably know a common problem – redirecting the web pages in the web browser. Some of them can fix it, but the others just start some antimalware application. Well, that’s right, antimalware applications can find the malware but unfortunately it doesn’t going to fix their problem. Why?
Because the background of redirecting the websites in the most cases lies in the „flat file“. „C:\WINDOWS\system32\drivers\etc\hosts“ file is purposed to act like a DNS server and that’s why a lot of malware use this file. In the past the hosts file contained manually typed domain names and their IP addresses.
Today this file is missing almost any practical purpose, because there are DNS servers on the internet as the main domain name service. You can use it for example to block some websites and just right this function is usually used by various malware to force the browsers to redirect the users to remote websites. And that’s the main reason why antimalware applications aren’t always enough, because despite the malware is removed from your system the tampered hosts file stays.
OS Windows in default settings handle the hosts file with the highest priority. That means anything you type in the web browser it is sent to Windows which looks up to the hosts file if there are any records. If the domain user has promted has it’s IP address in the hosts file Windows tries to download the webpage from that IP. In the most cases there are no records in the hosts file, so Windows usually sends the DNS query to DNS server which IP address Windows knows (through administrator configuration or DHCP protocol). The DNS server sends back to the user’s computer the IP address related to asked domain name.
A common process when you type a www address into the web browser and press Enter
But let’s say your computer has attacked malware and filled the hosts file with junk IP addresses. In that case Windows tries to download the webpage from the IP address related to the domain in the hosts file.
What if your hosts file is tampered by malware
If you would like to block some domain just add the next line into the hosts file(IP_address domain):
hosts file in Windows
What happened if you’d block some website using the hosts file
And if you executed web browser now and type www.WinIntSoft.com it would shows up an error, because hosts file redirects the browser to 127.0.0.1 which stands for local machine(the computer you are using).