Hackers who breached php.net exposed users to highly unusual malware

  • 18 December 2013
  • 2 replies
  • 5081 views

Userlevel 7
Badge +54
Eight weeks after hackers compromised the official PHP website and laced it with attack code, outside security researchers have uncovered evidence that some visitors were exposed to malware that's highly unusual, if not unique.

Israel-based Seculert said about 6,500 computers are infected by DGA.Changer, a malware title whose sole job is to surreptitiously download other malware on compromised systems. One of five distinct malware types served to visitors of php.net from October 22 to October 24, DGA.Changer employs a novel way of evading detection and takedown attempts. Like previous trojans equipped with domain-generation algorithms, DGA.Changer is able to make on-the-fly changes to the command-and-control (C2) domain names that infected machines contact to send data and receive instructions. That stymies takedown campaigns that simply take control of the C2 domain names. DGA.Changer takes this evasive move one step further by allowing operators to change the algorithm "seed" that generates a specific set of pseudo-random domains.

"As a result, they're extremely difficult to detect by traditional security methods (i.e. those that only use a sandbox), since the initial sample will reveal the domain name streams before the change—which no longer resolve to the C2 server," Seculert researcher and CTO Aviv Raff wrote in a blog post published Wednesday. Researchers typically use Cuckoo Sandbox and similar automated malware analysis systems to run recently discovered malware samples in a controlled environment. If the DGA.Changer seeds in the sandboxes don't match those of versions running in the wild, researchers can't continue to monitor communications sent to the C2 servers.
 
Full Topic

2 replies

Userlevel 5
Badge +22
 
Sorry for the bother but... could the following be explained in terms even I could understand?  I thought I might have understood the last sentence, but after rereading, apparently not.
 
"As a result, they're extremely difficult to detect by traditional security methods (i.e. those that only use a sandbox), since the initial sample will reveal the domain name streams before the changewhich no longer resolve to the C2 server," Seculert researcher and CTO Aviv Raff wrote in a blog post published Wednesday. Researchers typically use Cuckoo Sandbox and similar automated malware analysis systems to run recently discovered malware samples in a controlled environment. If the DGA.   Changer seeds in the sandboxes don't match those of versions running in the wild, researchers can't continue to monitor communications sent to the C2
 
 
Userlevel 7
Badge +54
I thought I had understood it but after reading it again several times I can see what you mean, it could have been explained in simpler terms I am sure.

Reply