Tuesday, June 28, 2011

Trojans

Over the past 2 months I've probably repaired or reinstalled a dozen computers belonging to family or friends. Most of these were infected with viruses and/or trojans. I noticed something interesting about how several of the trojans worked. I wanted to share this info so others would be informed and know what to watch out for.

These trojans were redirecting Internet requests without the users knowledge or consent. And I'm sure the reasons for the redirection were malevolent. They used 2 different ways to achieve this redirection.

Hosts file

The "hosts" file is an old seldom used file in Windows that allows users to redirect traffic. The file is located in %WinDir%\system32\drivers\etc. A "clean" hosts file should have one entry as follows: "127.0.0.1 localhost" This means the name "localhost" will resolve to 127.0.0.1. If there are other entries in this file chances are a virus or trojan put them there. You should remove them.

Proxy

The other method I found was by forcing the system to use a proxy. By using a proxy the virus/trojan can redirect traffic as it sees fit. To check your proxy settings go to Control Panel | Internet Settings | Connections, then click on LAN Settings. If the box for Proxy is checked, then a proxy is enabled. You should disable the proxy.

Both of these are clever methods in that they work regardless of the type of browser you're using. Internet Explorer, Firefox, Chrome, etc. would all be redirected without the user even realizing it. And since the hosts file or proxy settings are perfectly valid in certain circumstances, no virus checker would scan for these. So it's up to you to check your own system.

No comments:

Post a Comment