DGA.Changer Malware Uses New Tricks to Throw Researchers Off Track

A new version of the DGA.Changer malware uses some new techniques to trick sandbox solutions and researchers, according to breach detection company Seculert.

Seculert started monitoring DGA.Changer, a threat designed to download other malware onto infected systems, in 2013. This was one of the pieces of malware used by the malicious actors who breached the official PHP website in October 2013.

The security firm revealed in December 2013 that the threat, which had infected more than 6,500 devices, was attempting to evade detection by changing domain generation algorithm (DGA) seeds.

Seculert says malware authors have now made DGA.Changer even more difficult to detect by traditional sandboxes.

When it infects a system, the downloader checks the registry for disk artifacts that indicate the presence a virtual environment such as VMware and VirtualBox. If the presence of a sandbox is detected, the DGA seed is changed so that the malware communicates with a list of fake domains.

The cybercriminals don’t seem to be content only with preventing researchers and sandboxes from efficiently analyzing the threat. They have actually purchased some of the fake domains and pointed them to a server that is set up to serve an executable file. This file doesn’t do anything after being executed, but this tactic could throw researchers off track.

“The goal here seems to be to fool sandbox solutions and/or researchers into believing the malware is fully functional and downloading additional components,” Aviv Raff, CTO of Seculert, wrote in a blog post.

The first variant of the new DGA.Changer was spotted in February, but several iterations have been released since, each with different initial and fake seeds.

“The discovery of this new version of DGA.Changer highlights yet again the limitations of ‘sandbox only’ prevention approaches and the need to complement them with post-infection analytics based detection techniques,” Raff said. “In the Spy vs. Spy world of cyber-security, the adversary is continuing to adapt to current defense techniques. Those of us in the cyber-threat defense business must continue to adapt as well.”

DGA.Changer is not the only piece of malware that features a clever DGA mechanism. The DGA of the Rovnix Trojan generates command and control (C&C) domains using random words from documents such as the United States Declaration of Independence and the GNU Lesser General Public License.

The Matsnu Trojan generates 24-character domain names using a combination of nouns and verbs entered by the attacker or taken from a predefined list.