Malware That Modifies the Routing Table on Infected Hosts

It’s not uncommon to see malware modify the hosts file to prevent the infected system from accessing certain domains, such as those that belong to anti-virus and other security companies. This is usually a self-defending trait of the malicious program.

In contrast, Arbor Networks described another approach that malware can take to block access to undesirable domains: it can modify the routing table on the infected host after receiving the null-routing instructions through an HTTP-based Command-and-Control (C&C) channel.

Lenny Zeltser

Updated

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more