14 DAY TRIAL // When cybercriminals compromised php.net servers in October, they deployed an exploit kit that served five different types of malware. One of them is a downloader dubbed DGA.Changer. The threat has been thoroughly investigated by researchers from Seculert.
DGA.Changer has infected computers from all over the world. However, most infections (59%) have been spotted in the United States. Experts have observed 6,500 unique IP addresses communicating with the threat’s command and control (C&C) servers.
As you might have guessed, the researchers have used “DGA” for the malware’s name because it uses an infinite Domain Generation Algorithm.
But why “changer?” That’s because the bot can actually receive a command from the C&C server to change the DGA seed.
“Once the bots receive a command to update their seed, each of them can connect to a different stream of domain names,” Aviv Raff, CTO at Seculert, noted in a blog post.
“As a result, they’re extremely difficult to detect by traditional security methods (i.e. those that only use a sandbox), since the initial sample will reveal the domain name streams before the change — which no longer resolve to the [C&C] server,” he added.
Experts highlight that the DGA.Changer is designed to download other malware onto infected systems. However, at this point, it doesn’t download anything “interesting.”
Once it infects a device, the malware sends some information back to the C&C server, including DGA seed and index, Adobe Flash version data, details on the operating system, and information on whether or not a virtual machine has been detected.
DGA.Changer is capable of changing the User Agent and the connection configuration, changing DGA settings, downloading updates, and running executables.
One possibility is that the cybercriminals behind this threat are only selling bots on a pay-per-install basis and that they’re only installing other malware on the machines specified by their customers.
It’s worth noting that the creators of DGA.Changer are working on improving it. Researchers have already seen new versions. Seculert continues to monitor this threat.