Windows uses a plain-text file, HOSTS, found in %systemroot%\system32\drivers\etc, to pre-define network names for particular network addresses. By default, the only entry in the HOSTS file is localhost, which is set to 127.0.0.1 and used for local loopback. Administrators or users can place their own name/address pairs in HOSTS, and this will allow the system to default to that IP address for that network name at all times. This saves the time involved for a DNS lookup, and cuts down on traffic to the DNS server. Entries in HOSTS can be local network machines (especially if they have fixed addresses that rarely change), or Internet addresses (which also rarely change).
However, one of the hazards of the HOSTS file is that spyware, viruses, worms, or Trojan applications can hijack it. The file is not encrypted or secured -- it's simply a text file -- and its default permissions allow a program to change it freely. Quite a few programs "in the wild" perform unscrupulous network name hijacking by rewriting HOSTS -- for instance, by redirecting all calls to many common websites to an advertising site. There are far worse things that can be done, such as redirecting sensitive information. You can imagine the disaster that such an exploit could cause.
But it's easy to stop this sort of thing: Set the HOSTS file to read-only. Open the containing folder, right-click on the file, select Properties,
Note that if you plan to make deliberate changes to HOSTS, be sure to unprotect it before doing so.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!
This was first published in August 2003