Skip to main content
Customer Support Customer Support

Updated DGA Changer Malware Generates Fake Domain Stream

Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54
by Michael Mimoso    August 6, 2015
 
                                               


 
Researchers at Seculert today published a report on the latest twist to DGA Changer, which now is able to generate a fake stream of domains if it detects it’s being executed in a virtual machine, a hallmark of security analysis.

“If it’s in a sandbox, the malware is looking for specific hard drive or disk artifacts within the registry. So once it identifies that it’s not in a real environment, but in VMware or VBox, it will instead of generating a real stream of domains to communicate with, it will generate a fake stream,” said Seculert chief technology officer Aviv Raff said here at the Black Hat conference. “The sandboxes don’t know the actual stream being used.”
 
Full Article

    2 replies

    R
    Community Guide
    By Eduard Kovacs on August 07, 2015 A new version of the DGA.Changer malware uses some new techniques to trick sandbox solutions and researchers, according to breach detection company Seculert.
    Seculert started monitoring DGA.Changer, a threat designed to download other malware onto infected systems, in 2013. This was one of the pieces of malware used by the malicious actors who breached the official PHP website in October 2013.
    The security firm revealed in December 2013 that the threat, which had infected more than 6,500 devices, was attempting to evade detection by changing domain generation algorithm (DGA) seeds.
    Seculert says malware authors have now made DGA.Changer even more difficult to detect by traditional sandboxes.
    When it infects a system, the downloader checks the registry for disk artifacts that indicate the presence a virtual environment such as VMware and VirtualBox. If the presence of a sandbox is detected, the DGA seed is changed so that the malware communicates with a list of fake domains.
     
    full article
    R
    Community Guide
    By: Sara Peters
     
    New 'imitation game' feature helps botnet-for-rent fool security tools that use sandboxing.
     DGA.Changer has added a new trick to its arsenal:  a technique to fool security tools into thinking they've captured it while it's already slipped away, according to new research from Seculert.
    DGA.Changer is a botnet-for-rent used for click fraud campaigns, information-stealing, and delivering remote access Trojans, and is sold for targeted purposes as well.
    It uses an infinite domain generation algorithm (DGA), plus the command-and-control server can send issue commands to the bots to change the DGA seed (hence the name). This always made it difficult to detect, because as Seculert described when first detailing the malware in 2013, "the initial sample will reveal the domain name streams before the change — which no longer resolve to the C2 server."
     
    full article

    Reply


    Terms & Conditions