The Angler exploit kit has reportedly adopted a new evasion technique called "domain shadowing." What is this technique...
and how can it be used in a malware attack? Are there special defenses against malware that uses a shadow domain?
Exploit kits must adopt new techniques to both compete with other exploit kits and remain profitable. If an attacker can't profit from an exploit kit, he will need to either amend the current kit or switch to a new one. Improving evasion techniques also helps attackers be more successful.
According to Cisco Talos researchers, domain shadowing is "the process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner." It is a variant of a fast-flux domain name attack.
In an attack that includes domain shadowing, an attacker will log into the domain register's website to set up a new subdomain registered to a new server IP address. By registering many subdomain names and IP addresses, attackers are able to avoid blacklists, but it does not allow attackers to bypass reputation-based filters.
Domain shadowing can then be used to embed a DNS name in the malware, which could be used to download the malware from a compromised webhost or dictate where a compromised system should send stolen data.
Enterprise defenses against domain shadowing are fraught with difficulty since many of the same techniques used by domain shadowing are also used legitimately by Web hosting companies.
There are some steps enterprises can take, however. For example, IP addresses could be checked against a reputation-based blacklist to see if it resolves to multiple names or IP addresses, and then heuristic behavioral analysis could be used to identify which potentially malicious network connections require further investigation.
Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)
Learn about the latest malware advanced evasion techniques
Cisco says business need to prioritize cyberattack detection
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading