Eight weeks after hackers compromised the official PHP website and laced it with attack code, outside security researchers have uncovered evidence that some visitors were exposed to malware that’s highly unusual, if not unique.
Israel-based Seculert said about 6,500 computers are infected by DGA.Changer, a malware title whose sole job is to surreptitiously download other malware onto compromised systems. One of five distinct malware types served to visitors of php.net from October 22 to October 24, DGA.Changer employs a novel way of evading detection and takedown attempts. Like previous trojans equipped with domain-generation algorithms, DGA.Changer is able to make on-the-fly changes to the command-and-control (C2) domain names that infected machines contact to send data and receive instructions. That stymies takedown campaigns that simply take control of the C2 domain names. DGA.Changer takes this evasive move one step further by allowing operators to change the algorithm “seed” that generates a specific set of pseudo-random domains.
“As a result, they’re extremely difficult to detect by traditional security methods (i.e. those that only use a sandbox), since the initial sample will reveal the domain name streams before the change—which no longer resolve to the C2 server,” Seculert researcher and CTO Aviv Raff wrote in a blog post published Wednesday. Researchers typically use Cuckoo Sandbox and similar automated malware analysis systems to run recently discovered malware samples in a controlled environment. If the DGA.Changer seeds in the sandboxes don’t match those of versions running in the wild, researchers can’t continue to monitor communications sent to the C2 servers.
So far, systems infected by DGA.Changer have remained eerily quiet. Since Seculert began monitoring the malware, the infected machines have downloaded only one file, and it was benign. Raff said he suspects the attackers are probably in the process of selling pay-per-install access to the compromised machines to specific parties. He bases the speculation on the knowledge that at least some of the infected population are PHP programmers who develop applications for a variety of sensitive websites around the world. That makes them high-value targets who are potentially worth large sums of money to the right buyers. The breach harkens back to other hacks from last year that infected developers at Facebook, Apple, and Twitter. Such hacks are often dubbed “watering hole” attacks because, like jungle safaris, they target victims at sites they’re known to visit.
He said his speculation is also supported by the finding that only 6,500 machines are infected by DGA.Changer.
“This is indeed a small number, which might indicate the targeted fashion of this pay-per-install service,” Raff wrote in an e-mail to Ars. “Instead of selling by quantity they are selling by quality, looking for specific companies (similar to the watering hole approach). This is probably the reason why they are sending information about the infected device back to the C2 server (OS, number of processors, is it a VM, etc.).”
In Wednesday’s blog post Raff added, “Our analysis at this point is that ‘no news is bad news.’ Why would adversaries deploy a malware which downloads nothing, on a site used by software developers, and then engineer it so that it can receive commands from a C2 server to change the DGA seed? It makes no sense—and that [is] worrisome. Not all adversaries are geniuses, but they typically have an agenda.”
Raff said other malware titles installed during the PHP breach included those used by Zeus and ZeroAccess botnets. A researcher from antivirus provider Kaspersky Lab has also said the compromise caused php.net visitors to download Tepfer, a trojan that is now detected by 35 of the major AV products. DGA.Changer has the biggest hold on computers located in the US, with 59 percent. Australia, Canada, and the UK are the next biggest affected regions, with six percent, five percent, and four percent, respectively.
PHP officials have pledged to provide a full post-mortem on the breach once their analysis is completed. With the passing of exactly eight weeks since this compromise was discovered, it’s about time they made good on that promise.