It’s not uncommon to see malware modify the hosts file to prevent the infected system from accessing certain domains, such as those that belong to anti-virus and other security companies. This is usually a self-defending trait of the malicious program.
In contrast, Arbor Networks described another approach that malware can take to block access to undesirable domains: it can modify the routing table on the infected host after receiving the null-routing instructions through an HTTP-based Command-and-Control (C&C) channel.
Updated September 17, 2010