Certain types of malware, including the recent DGA.Changer, has been said to have a cloaking property that allows...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
it to evade sandboxes. Can you please explain what cloaked malware really is and how it is able to avoid sandboxes? What other security measures should my enterprise put in place beyond sandboxing to detect cloaked malware?
Malware using domain-generation algorithms (DGAs) to identify the command-and-control (C&C) infrastructure has emerged over the last year. A recent blog post from Seculert reported that the DGA.Changer malware is just a downloader that installs other malware that will be used to further infect the system. However, one unique feature of DGA.Changer is the cloaking method it uses to evade detection and slow malware analysis: It can receive commands from its C&C to change the DGA "seed" it uses to create random domains.
Let me explain. When an algorithm generates the same domain names on all systems, that can be detected by a sandbox and quarantined as suspicious based on an established pattern. If it changes its seed on demand, it cannot be detected and may bypass the sandbox altogether because the malware is suddenly not communicating with any of the known-bad domains.
Enterprises can detect malware using DGA by monitoring DNS requests and looking for systems that perform lookups on nonexistent domain names or ones that are highly unusual (never before accessed from the domain). The malware could also be detected by a network-based antimalware appliance or by monitoring DNS logs for failed lookups. An endpoint looking up an abnormal number of domains in a short period of time should also be investigated to determine if the endpoint was compromised.
Ask the Expert!
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Vonteera adware has the ability to disable antimalware software on endpoint devices. Expert Nick Lewis explains how enterprises can prevent this ...continue reading
ModPOS, a new POS malware, compromised millions of credit card accounts in 2015. Expert Nick Lewis explains how cybercriminals use this malware and ...continue reading
Amex cards have been discovered to be vulnerable to credit card hacking. Expert Nick Lewis explains how this happens, and what can be done about Chip...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.