CSP-CERT® Resources:
Protecting one’s self from malware using hosts file

by CSP-CERT® Blue Team
posted March 2018



In this article, we will see how we can use the hosts file to protect ourselves from malware in malicious domains and advertisements.

The “hosts” file is a text file stored on a computer that contains a line-by-line mapping of IP addresses to host names and is used to resolve domain names before using DNS (Domain Name System).

Editing the hosts file in Windows

To start editing the hosts file, we need to run Notepad as Administrator.

  • Left Click on the start button
  • Left Click on Windows Accessories
  • Right Click on Notepad
  • Run as Administrator

Next, we need to open up the hosts file stored in the following:


C:\Windows\System32\drivers\etc\hosts


By default, the Windows hosts file contains the following:



We can modify the hosts file to redirect a hostname or domain to a specific IP.

We can also use the hosts file to “Sinkhole” or “Block” a domain – that is, to redirect the domain to an IP address that is not routable, preventing access to it.

In this example, we will be sinkholing www.google.com.ph by adding the following entry in the hosts file and saving it:


0.0.0.0 www.google.com


Since www.google.com.ph has been sinkholed / blocked via hosts file, attempting to access it with any web browser will yield the following result:



Editing the hosts file in Linux (Debian, Ubuntu, CentOS 7, RHEL 7, etc)

Editing the hosts file in Linux is easier. Just run the terminal and edit the file located in the following using your favorite text editor (vi, vim, nano, etc):


/etc/hosts


Similarly, we can sinkhole www.google.com.ph by adding the following entry in the hosts file and saving it:


0.0.0.0 www.google.com



Protecting one’s self from malware using hosts file

Now that we have learned how the hosts file can be used to sinkhole / block domains, we will proceed to using the hosts file / blocklist created by Steven Black (https://github.com/StevenBlack/hosts) which he consolidated from several reputable sources.

For this example, let us use the hosts file recipe “Unified hosts + fakenews + gambling + porn” which can also be found from the Github link above: https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts



We can copy and paste the contents of this hosts file recipe to our own local hosts file and save it or we could download a copy of this hosts file and replace our local hosts file.




Using this hosts file recipe / list of sinkholed domains should prevent access to common pop-ups and malicious domains.

Although this article does not guarantee 100% security from malicious domains since the list needs to be regularly updated, it can help add a layer of security to your devices.

We hope that this article is helpful.

We would also like to thank Steven Black (https://twitter.com/SteveBlack, https://github.com/StevenBlack, http://stevenblack.com) for the list he has consolidated and to the people who contributed to the creation of this list.