Malware That Modifies the Routing Table on Infected Hosts

It’s not uncommon to see malware modify the hosts file to prevent the infected system from accessing certain domains, such as those that belong to anti-virus and other security companies. This is usually a self-defending trait of the malicious program.

In contrast, Arbor Networks described another approach that malware can take to block access to undesirable domains: it can modify the routing table on the infected host after receiving the null-routing instructions through an HTTP-based Command-and-Control (C&C) channel.

Lenny Zeltser


About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more