Malware That Modifies the Routing Table on Infected Hosts

It’s not uncommon to see malware modify the hosts file to prevent the infected system from accessing certain domains, such as those that belong to anti-virus and other security companies. This is usually a self-defending trait of the malicious program.

In contrast, Arbor Networks described another approach that malware can take to block access to undesirable domains: it can modify the routing table on the infected host after receiving the null-routing instructions through an HTTP-based Command-and-Control (C&C) channel.

Lenny Zeltser


About the Author

Lenny Zeltser is a seasoned business and tech leader with extensive cybersecurity experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. Beforehand, he was responsible for security product management at NCR Corp. Lenny also trains incident response and digital forensics professionals at SANS Institute. An engaging presenter, he speaks at industry events, writes articles and has co-authored books. Lenny has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more