21 Aug 2012

HOSTS File Hijacking Becomes Impossible in Windows 8


The upcoming operating system from Redmond-based Microsoft takes system protection one step further with the introduction of a technology to detect illegal changes to the HOSTS file.

The HOSTS file is a plain-text file with no extension that serves only to assist the human user in pinpointing domain names to specific IPs. Whenever a domain name is associated to an IP address, the operating system skips the DNS check and relies on the URL and IP address it finds in the HOSTS file.

This behavior has been severely abused by malware in the past 10 years to change popular destinations such as banks, social networks or e-mail services to servers hosting phishing pages. The same technique has been used to block access to security solutions by routing their URLs to localhost (

Microsoft’s take on HOSTS file poisoning in Windows 8 was the implementation of a specialized routine in Windows Defender that analyzes the contents of the HOSTS file and deletes entries thought to be malicious. Some antivirus solutions also monitor changes in the HOSTS file, since it is regarded as a critical file of the operating system.

Windows 8 is expected to hit the shelves on Oct. 26. Apart from declaring war on URL hijacking, the upcoming operating system features the Early Launch Anti-Malware (ELAM) mechanism that allows the antivirus to initiate before any third-party application, minimizing the window of opportunity for rootkit-based malware.