The Angler exploit kit has reportedly adopted a new evasion technique called "domain shadowing." What is this technique...
and how can it be used in a malware attack? Are there special defenses against malware that uses a shadow domain?
Exploit kits must adopt new techniques to both compete with other exploit kits and remain profitable. If an attacker can't profit from an exploit kit, he will need to either amend the current kit or switch to a new one. Improving evasion techniques also helps attackers be more successful.
According to Cisco Talos researchers, domain shadowing is "the process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner." It is a variant of a fast-flux domain name attack.
In an attack that includes domain shadowing, an attacker will log into the domain register's website to set up a new subdomain registered to a new server IP address. By registering many subdomain names and IP addresses, attackers are able to avoid blacklists, but it does not allow attackers to bypass reputation-based filters.
Domain shadowing can then be used to embed a DNS name in the malware, which could be used to download the malware from a compromised webhost or dictate where a compromised system should send stolen data.
Enterprise defenses against domain shadowing are fraught with difficulty since many of the same techniques used by domain shadowing are also used legitimately by Web hosting companies.
There are some steps enterprises can take, however. For example, IP addresses could be checked against a reputation-based blacklist to see if it resolves to multiple names or IP addresses, and then heuristic behavioral analysis could be used to identify which potentially malicious network connections require further investigation.
Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)
Learn about the latest malware advanced evasion techniques
Cisco says business need to prioritize cyberattack detection
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Researchers developed aIR-Jumper, an exploit that leverages lights within security cameras to extract data. Learn how this attack works and how to ... Continue Reading
The com.google.provision virus reportedly targets Android users, but little is known about it. Nick Lewis discusses the mystery threat and how Common... Continue Reading
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.