Malware That Modifies the Routing Table on Infected Hosts

Beyond modifying hosts files to block access to security domains, malware can modify the routing table on infected hosts after receiving null-routing instructions through HTTP-based C&C channels. Arbor Networks documented this self-defense approach in Shiz and Rohimafo malware variants.

It’s not uncommon to see malware modify the hosts file to prevent the infected system from accessing certain domains, such as those that belong to anti-virus and other security companies. This is usually a self-defending trait of the malicious program.

In contrast, Arbor Networks described another approach that malware can take to block access to undesirable domains: it can modify the routing table on the infected host after receiving the null-routing instructions through an HTTP-based Command-and-Control (C&C) channel.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →