Home / Blog / Emerging Evasion Techniques: Domain Shadowing

Emerging Evasion Techniques: Domain Shadowing

Posted on 04/08/2015, by Antonio López (INCIBE)
Emerging Evasion Techniques

As in a game of cat and mouse, measures taken by security companies to detect malware and counter its actions are responded to by the creators of malicious software with techniques to get round these defences. The Domain Name Server (DNS) protocol is among those most widely used to avoid detection and the identification and neutralization of malicious sites.

As described in the article "Use and Abuse of DNS" it is very common to use DNS fast flux strategies. This technique is effective, but it does involve the use of a large number of IP addresses to make domain resolution vary and avoid the locating of a malicious element. Moreover, once the domain has been identified, it can be neutralized by sink-holing, so it becomes necessary to complement this approach with other strategies like domain generation algorithms (DGAs).

This situation is a headache for the ill-intentioned people developing botnets, as they need to keep as extensive and as distributed a control as possible. Thanks to the discovery and analysis of recent samples of advanced malicious software like Angler Exploit Kit, it has become clear that a new trend in evasion is establishing itself, termed domain shadowing.

Domain Shadowing

This evasive strategy, first evidence of which dates from late 2011, has been gaining ground recently, as is shown by the results of investigations carried out by Cisco Systems:


Illustrating explosion of usage since December-2014. Larger bubble indicates more events.(As of mid February)

Evidence for Angler Exploit Kit and the Use of Domain Shadowing. SOURCE: Cisco

Domain shadowing involves taking over control of a registered domain by getting hold of administrator credentials so that it becomes feasible to create DNS entries for new sub-domains. Through the creation of a horde of sub-domains, the attacker builds up the largest possible list. This approach has proved to be highly effective in dodging standard blocking techniques like blacklisting or sink-holing sites or IP addresses.

Unlike fast flux, where the IP assigned to a single domain is changed rapidly, domain shadowing rotates through the sub-domains associated with a domain. These sub-domains may point to a single IP address or to a set of them in accordance with needs and circumstances.

Operations with Domain Shadowing

A study undertaken by the Talos group at Cisco  showed that the use of sub-domains is intelligently organized into levels. Let us imagine that the domain "myexampledomain.com" has been compromised and is under the control of cyber-criminals. The attacker will generate a random number of sub-domains with comprehensible names based on common words, for example gateway.myexampledomaind.com.

These sub-domains form an initial level where entry pages are sited, these including an "add-on" to redirect users quickly to other (redirection) sub-domains with random names such as 5df4f7hsf.myexampledomain.com or even to another different domain which is under malicious control. There may even be a fourth level of domain, as this makes it harder still to ensure traceability in the communications flow. Rapid rotations through different random sub-domains eventually take victims to a sub-domain that holds an exploit to infect users (exploitation level). Such a series of redirections and an organization into sub-domains provides an efficient mechanism for avoiding detection and blocking. The IP addresses of the sub-domains are normally rotated frequently so as to make the evasion strategy more effective.

The Succession of Events in an Infection Using Domain Shadowing

The Succession of Events in an Infection Using Domain Shadowing. SOURCE: McAfee


The IP addresses and sub-domains used in domain shadowing vary rapidly, so that counter-measures like including them in blacklists are of little use. Detection of this strategy involves looking for sub-domains that resolve into a shared IP or a single second-level domain. However, there is a need to face the difficulty that numerous service providers on the cloud make use of a large range of semi-random sub-domains, which may lead to an increased number of false positives.

One Origin, Many Problems.

Once again, this is a strategy that takes advantage of stolen credentials and poor password and resource administration practice. Phishing and social engineering attacks are almost always present in major instances of computer attacks or theft of information. In attacks like domain shadowing, the large number of domains compromised and of users affected makes it very difficult to monitor such domains and predict what will happen.