CyberScout

What You Need to Know About Hosts File Hijacks

Hosts File Hijacks
Getty Images

DNS servers aren’t the only way that domain name requests are translated to IP addresses: there’s a single and easily edited file on Windows, Mac, and Linux computers as well as iOS and Android devices that can control DNS entries at a local level.

The hosts file is a local simple text file that’s used by operating systems to tell individual machines how to route their traffic. This is commonly used by system administrators to connect employees within a company to resources within an intranet, to block websites and services that don’t comply within company policies, and by web developers to be able to test a site in production.

It’s also a common target for malware and hacking campaigns.

A typical hosts file entry is straightforward, e.g.:

172.217.5.238 asitethatisnotgoogle.com

This single line would tell a computer to direct a visitor from asitethatisnotgoogle.com to 172.217.5.238, which is Google’s primary IP address.

For a system administrator, it's an easy means of controlling and redirecting traffic within a company network, but in the hands of a hacker, it's a powerful tool with minimal visibility to their target.

Malware will often target these hosts files and rewrite them to add malicious entries; the hack can also be performed by anyone with access to either an unattended computer or device. The hack can be completed in a few moments. Once compromised, a hosts file can redirect any outgoing internet traffic from a machine, including web page requests and email communications, all without any visibility to the victim. 

One common method used by hackers is to block network connections to antivirus or other security software updates, effectively disabling a target computer's defenses.