The Angler exploit kit has reportedly adopted a new evasion technique called "domain shadowing." What is this technique...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
and how can it be used in a malware attack? Are there special defenses against malware that uses a shadow domain?
Exploit kits must adopt new techniques to both compete with other exploit kits and remain profitable. If an attacker can't profit from an exploit kit, he will need to either amend the current kit or switch to a new one. Improving evasion techniques also helps attackers be more successful.
According to Cisco Talos researchers, domain shadowing is "the process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner." It is a variant of a fast-flux domain name attack.
In an attack that includes domain shadowing, an attacker will log into the domain register's website to set up a new subdomain registered to a new server IP address. By registering many subdomain names and IP addresses, attackers are able to avoid blacklists, but it does not allow attackers to bypass reputation-based filters.
Domain shadowing can then be used to embed a DNS name in the malware, which could be used to download the malware from a compromised webhost or dictate where a compromised system should send stolen data.
Enterprise defenses against domain shadowing are fraught with difficulty since many of the same techniques used by domain shadowing are also used legitimately by Web hosting companies.
There are some steps enterprises can take, however. For example, IP addresses could be checked against a reputation-based blacklist to see if it resolves to multiple names or IP addresses, and then heuristic behavioral analysis could be used to identify which potentially malicious network connections require further investigation.
Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)
Learn about the latest malware advanced evasion techniques
Cisco says business need to prioritize cyberattack detection
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Researchers have developed an ASLR Cache side-channel attack that enables them to eliminate ASLR protections. Expert Nick Lewis explains how ...continue reading
The SQL Slammer worm has re-emerged to attack a vulnerability in Microsoft SQL Server 2000. Expert Nick Lewis explains what enterprises can do to ...continue reading
The Fruitfly Mac malware has decades-old code, but has been conducting surveillance attacks for over two years without detection. Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.