pixel_dreams - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

What is domain shadowing and how can enterprises defend against it?

Exploit kits and malware attacks have adopted a technique called domain shadowing to stay ahead of the game. Learn what domain shadowing is and how to defend against attacks using it.

The Angler exploit kit has reportedly adopted a new evasion technique called "domain shadowing." What is this technique...

and how can it be used in a malware attack? Are there special defenses against malware that uses a shadow domain?

Exploit kits must adopt new techniques to both compete with other exploit kits and remain profitable. If an attacker can't profit from an exploit kit, he will need to either amend the current kit or switch to a new one. Improving evasion techniques also helps attackers be more successful.

According to Cisco Talos researchers, domain shadowing is "the process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner." It is a variant of a fast-flux domain name attack.

In an attack that includes domain shadowing, an attacker will log into the domain register's website to set up a new subdomain registered to a new server IP address. By registering many subdomain names and IP addresses, attackers are able to avoid blacklists, but it does not allow attackers to bypass reputation-based filters.

Domain shadowing can then be used to embed a DNS name in the malware, which could be used to download the malware from a compromised webhost or dictate where a compromised system should send stolen data.

Enterprise defenses against domain shadowing are fraught with difficulty since many of the same techniques used by domain shadowing are also used legitimately by Web hosting companies.

There are some steps enterprises can take, however. For example, IP addresses could be checked against a reputation-based blacklist to see if it resolves to multiple names or IP addresses, and then heuristic behavioral analysis could be used to identify which potentially malicious network connections require further investigation.

Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)

Next Steps

Learn about the latest malware advanced evasion techniques

Cisco says business need to prioritize cyberattack detection

This was last published in September 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal