Geographic breakdown of machines infected by DGA.Changer
Eight weeks after hackers compromised the official PHP website and laced it with attack code, outside security researchers have uncovered evidence that some visitors were exposed to malware that’s highly unusual, if not unique.
Israel-based Seculert said about 6,500 computers are infected by DGA.Changer, a malware title whose sole job is to surreptitiously download other malware onto compromised systems. One of five distinct malware types served to visitors of php.net from October 22 to October 24, DGA.Changer employs a novel way of evading detection and takedown attempts. Like previous trojans equipped with domain-generation algorithms, DGA.Changer is able to make on-the-fly changes to the command-and-control (C2) domain names that infected machines contact to send data and receive instructions. That stymies takedown campaigns that simply take control of the C2 domain names. DGA.Changer takes this evasive move one step further by allowing operators to change the algorithm “seed” that generates a specific set of pseudo-random domains.
“As a result, they’re extremely difficult to detect by traditional security methods (i.e. those that only use a sandbox), since the initial sample will reveal the domain name streams before the change—which no longer resolve to the C2 server,” Seculert researcher and CTO Aviv Raff wrote in a blog post published Wednesday. Researchers typically use Cuckoo Sandbox and similar automated malware analysis systems to run recently discovered malware samples in a controlled environment.
If the DGA.Changer seeds in the sandboxes don’t match those of versions running in the wild, researchers can’t continue to monitor communications sent to the C2 servers.