New phishing scam: rewrite hosts file from email

According to Covert phishing scam lies in wait for its victim - silicon.com, there's a new phishing scam floating around the net which works by rewriting your hosts file to redirect requests to the scammers' servers.

What's a hosts file? Long, long ago in an internet far far away, one had to refer to remote systems using their IP address, eg: 127.0.0.1. Thing was, these systems typically had a name, eg PLPSC or SYSMVSA, so someone, somewhere came up with the idea of mapping these hostnames to IP addresses in a file called /etc/hosts on unix systems (and \windows\system32\drivers\etc\hosts on Windows related systems). Very quickly the hosts file became unmanageable as names changed, networks were rearranged, and around (I'm doing this from memory, so don't blame me if the dates are wrong) anyway, around 1984 the domain name system with its concept of nameservers and resolvers came into being. This was a system of servers which translate sysmvsa.example.com to 127.0.0.1.

Still, the hosts files stick around, either to get around temporary nameservice problems, or for very small networks an easy way to alias readable names to IP addresses. The hosts file is typically checked first on systems, definitely with windows systems. Which is what makes this exploit all the more insidious...most people using Windows today have no idea what a hosts file is, where it's located, or the impact of it being rewritten.

What this exploit can do (in theory, I haven't seen it myself, nor do I want to) is map the entry portals to a number of e-commerce or banking web sites to a proxy run by the scammers. The proxy can then filter out non-secure requests from secure requests, and parse out the userid and passwords used to access the site. Since the proxy knows which site you were trying to access, it can easily build a database of userids, passwords, and systems to log into.

If you fall victim to this, you're pretty screwed. You won't know it's occurring until you've been had (unless you notice that your connection is oddly slow, which you may not notice if you're on dialup or a slower broadband connection, or if the proxy is close to you in the network). The exploit appears to take advantage of vulnerabilities in Microsoft Outlook and Outlook Express. It's possible that an antivirus scanner will detect these scripts either in your email or when they try to execute, but I wouldn't be surprised if they don't consider the hosts file to be a critical system file. (I mean, it is a critical system file but I edit mine frequently and never get an alert from my antivirus program).