Thursday, September 16, 2010

What is the Google Redirect Virus and What is a Hosts File?

A redirect virus will redirect your web browser to a different website, Instead of where you wanted it to go.
Many times this is to send you to a website with advertising in order to get you to purchase something. Other time it may be to send you to a fake internet banking site to try to get your account information.
The redirect malware or virus will usually modify a file on your computer that is called the "hosts" file
Before we discuss what the hosts file is. I want to explain something about how you get to a website with your web browser.
There are a few popular web browsers today some are Internet Explorer also referred to as IE there is FireFox, Google Chrome, and also Safari. There are more available but these seems to be the ones that I see people using the most.
First of all a website has a numeric address, similar to a phone number or a street address.
So for instance Google has an address of 208.69.32.231 (referred to as IP address) you could type that into the address bar of your web browser and it would take you to Google. The problem is that trying to remember numbers is much more difficult for humans, so we use names.
When you request a website by name the first time your computer looks at the hosts file to see if it is listed there, usually there are no entries in the hosts file. If there is a entry for google.com with ANY IP address your computer will send you to THAT IP address even if it is not an address that belongs to Google.
When there is no entry for Google or the website you want to go to the computer will contact a domain name server (DNS) to see what the numeric address is of the website.
It learns that Google = 208.69.32.231 and the computer then displays the website you were looking for that resides at the particular address.
The redirect virus creates an entry for the Google site or any website and adds a fake IP address or an IP address that belongs to a different website. When you want to go to that particular site your computer will go to the fake/incorrect IP address that is in the hosts file.
So to fix this you first need to scan the computer and also fix the hosts file.
The hosts file can also be used to help protect you from bad websites. If you had a list of all the bad websites in the world, you could enter them into the hosts file and use the IP address of 127.0.0.1
The entry would look like this
badwebsitename 127.0.0.1
Then if you or someone using your computer tried to go to one of the bad websites listed in your computers hosts file, the web browser would display a error page that basically says the page cannot be displayed.
So you may wonder what is 127.0.0.1 or where is 127.0.0.1 Simple answer, it is your own computer.
Its called a loop back address.
So since there is not a website running on your computers loop-back address you get the page cannot be displayed error message, and that is much better then going to a website that has viruses or malware on it.
There are websites that maintain a hosts file with a list of well known bad Websites. If you replace your hosts file with it, you can keep your system safer from malware.
There are other types of viruses that can cause a redirect, some can actually change the setting in your router and it will send you to a bad DNS server.
Then the "poisoned" DNS server will redirect you. So you may think the problem lies within the computer but it may also be that your router was affected by a virus.

1 comment: