Monday, October 22, 2007

Spoofing Google With Hosts File

These days security is on everyone’s mind. What if I told you there is a disgustingly simple way of spoofing real web-sites in order to steal your information? This technique has gotten little attention compared to OS exploits in the media, but is far more powerful of a technique than OS holes.

The technique involves modifications to the system’s HOSTS file. What is the HOSTS file you ask? For you newbies out there a HOSTS file is a computer file used to store information on where to find a node on a computer network. This file maps hostnames to IP addresses.

So? Who cares right? Wrong!!!! Observe this simple technique to hijack your computer without you ever knowing or suspecting!

The trick is to get you to download and install my little program, or execute my ActiveX control, or for me to plant it in some shareware somewhere, a million different ways of me delivering it to your computer. As part of the program I have a simple entry in your HOSTS file. A typical HOSTS file should look like this;

No big deal. But if my little program modifies your HOSTS file to appear as the one below;

When you launch your web browser and type in www.google.com you are redirected to www.goitexpert.com my friend! Same with the Citibank Web Login. You get sent to www.goitexpert.com. You can use this technique to set up a fake web site.

Even the title in the address bar says http://www.google.com since as far as the browser is concerned, you are at Google’s web page. Try the technique for yourself!

This is where you get into trouble. If I wanted to “rip off” Citibank’s web site, I could and you would never know it. The address would still appear as if it were Citibank’s and you would try logging in as you normally do, and you wouldn’t be able to login. But I would have your username and password!

By the time you realized what has happened, you would be broke!

How do you stop this type of attack? You can obviously buy Anti-Virus Anti-Spyware software, but they won’t help much. My HOSTS file actually has several needed entries and neither my anti-virus or spyware software has ever complained about entries in the HOSTS file.

The sure fire way to prevent HOSTS file abuse is to mark it read-only. Locate your HOSTS file in c:\windows\system32\drivers\etc and right-click on it.

Go to Properties and put a checkmark in the box that says Read-Only.

As a result of this you will be prompted whenever an attempt is made to write an entry to this file. The prompt will say that you are trying to modify a read-only file and will prevent the action. Unless of course the coder was smart enough to try and modify the attributes before hand.

Oh but you use Linux so you are safe from this technique? WRONG!! The /etc/hosts file is just as vulnerable. If you are logged in as a user that can modify system files, you are vulnerable, and often to install software you have to be logged in as root or at least with sudo rights.

You should mark the /etc/hosts file as read-only as well.


http://www.goitexpert.com/entry.cfm?entry=How-To-Spoof-Google

No comments: