In time, I became an IT Director we had to add antispyware tools to the repertoire. Lo and behold today we install Internet Security software to protect against viruses, spyware, rootkits and spam not to mention giving users intrusion protection, firewall, parental controls, data theft and email safety scan.
Rumor has it that soon these packages will start your car, check for dangerous fumes and scan all mail for weapon-ized bio-chemicals.
I know I am being a bit over the top but it makes the point. We are adding more and more tools to combat against the growing tide of threats. The truth is, even with all this security we are still vulnerable.
There is no silver bullet, I recall running an antispyware scan on a users machine that found and cleaned 856 different threats. After a restart, I ran a scan with another spyware program. This one found 445 other threats (yes, they were different I checked the log reports).
No doubt, I could have installed three other scanners and got three more varying results.
Therefore, what can we do? How do we keep ahead of the storm? One answer is to pull your systems off the Internet. Of course thats the equivalent to selling everything and moving into a cave not a viable business strategy.
So, what alternative is there?
Reinforcements have arrived
The answer lies in a somewhat older technology called Windows hosts files. The hosts file uses entries to resolve domain names to IP addresses just like DNS. DNS takes the name of a host such as rare-tech.net and converts it to the IP Address (126.96.36.199) of the host.
However, the hosts file takes precedence over the DNS mappings. Moreover, unlike DNS, which is controlled from the server, the hosts file is on the individual PC and is controlled by the local machine.
Overriding DNS is not a bad thing since adware servers are often listed in DNS servers. The idea of converting IP addresses into understandable naming conventions is terrific. However, machines have now way of knowing that the IP Address that it is converting to a name is actually an ad server or some other sort of rogue system.
An easy way of handling this is to edit the hosts file to send the request for these sites to the IP address 127.0.0.1, which is the local host. Since the system will continue to translate the address as a local host, it will just send it into an endless loop. This of course provides no ill effects to your PC.