We found this interesting and malicious little mechanism.
The hosts file on a machine under investigation was modified to redirect the victim’s browser to a well known legitimate site (in this case google.com) whenever he attempted to contact a list of nearly 400 sites. The list was a “Who’s Who” of the anti-malware world – most places where someone with an infected machine would go to get help.
The altered hosts file he found contained many lines beginning with ‘#’ followed by gibberish. These would be seen as comments by any browser and ignored. Concealed among the commented lines are lines containing the domain name redirections. When the commented lines are stripped, we find all the listed security related websites being redirected to “126.96.36.199” which is the IP address for google.com.
Some of the sites were:
188.8.131.52 lexikon.ikarus.at 184.108.40.206 www.virusdoctor.jp 220.127.116.11 www.spybotupdates.com 18.104.22.168 securityresponse.symantec.com 22.214.171.124 www.mcafee.com 126.96.36.199 es.trendmicro-europe.com 188.8.131.52 www.quickheal.co.in 184.108.40.206 www.offensivecomputing.net 220.127.116.11 research.sunbelt-software.com 18.104.22.168 www.sunbeltsoftware.com 22.214.171.124 www.sunbeltsecurity.com 126.96.36.199 www.cwsandbox.org
The “hosts” file is in the Windows\system32\drivers\etc directory in Win XP, Win7 and Win08 Server – and probably all incarnations of Windows, since browsers are going to look there.
Learn more about Hosts Here.