The Angler exploit kit has reportedly adopted a new evasion technique called "domain shadowing." What is this technique...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
and how can it be used in a malware attack? Are there special defenses against malware that uses a shadow domain?
Exploit kits must adopt new techniques to both compete with other exploit kits and remain profitable. If an attacker can't profit from an exploit kit, he will need to either amend the current kit or switch to a new one. Improving evasion techniques also helps attackers be more successful.
According to Cisco Talos researchers, domain shadowing is "the process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner." It is a variant of a fast-flux domain name attack.
In an attack that includes domain shadowing, an attacker will log into the domain register's website to set up a new subdomain registered to a new server IP address. By registering many subdomain names and IP addresses, attackers are able to avoid blacklists, but it does not allow attackers to bypass reputation-based filters.
Domain shadowing can then be used to embed a DNS name in the malware, which could be used to download the malware from a compromised webhost or dictate where a compromised system should send stolen data.
Enterprise defenses against domain shadowing are fraught with difficulty since many of the same techniques used by domain shadowing are also used legitimately by Web hosting companies.
There are some steps enterprises can take, however. For example, IP addresses could be checked against a reputation-based blacklist to see if it resolves to multiple names or IP addresses, and then heuristic behavioral analysis could be used to identify which potentially malicious network connections require further investigation.
Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)
Learn about the latest malware advanced evasion techniques
Cisco says business need to prioritize cyberattack detection
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
The OurMine hacking group recently used DNS poisoning to attack WikiLeaks and take over its web address. Learn how this attack was performed from ...continue reading
Typosquatting was used by threat actors to spread malware in the NPM registry. Learn from expert Nick Lewis how this method was used and what it ...continue reading
Threat actors are using phishing email campaigns to fool users with tech support scams and fake Blue Screens of Death. Learn how these campaigns work...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.