1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

Unique malware evades sandboxes

Discussion in 'Security Updates' started by starbuck, Jan 1, 2014.

  1. starbuck

    starbuck Rest In Peace Pete Administrator

    Joined:
    Sep 26, 2009
    Messages:
    3,830
    Location:
    Midlands, UK
    Operating System:
    Windows 10
    CPU:
    AMD Athlon II x2 250 Processor 3.00GHz
    Memory:
    8gb DDR3
    Hard Drive:
    500gb SATA
    Graphics Card:
    ASUS GeForce GTX 960 2gb
    Power Supply:
    650w PowerCool X-Viper
    Malware utilized in the attack last month on the developers' site PHP.net used a unique approach to avoid detection, a security expert says.

    On Wednesday, security vendor Seculert reported finding that one of five malware types used in the attack had a unique cloaking property for evading sandboxes. The company called the malware DGA.Changer.

    DGA.Changer's only purpose was to download other malware onto infected computers, Aviv Raff, chief technology officer for Seculert, said on the company's blog. Seculert identified 6,500 compromised computers communicating with the malware's command and control server. Almost 60 percent were in the United States.

    What Seculert found unique was how the malware could receive a command from a C&C server to change the seed of the software's domain generation algorithm. The DGA periodically generates a large number of domain names as potential communication points to the C&C server, thereby making it difficult for researchers and law enforcement to find the right domain and possibly shutdown the botnet.

    "What the attackers behind DGA did is basically change the algorithm on the fly, so they can tell the malware to create a new stream of domains automatically," Raff told CSOonline.

    When the malware generates the same list of domains, it can be detected in the sandbox where security technology will isolate suspicious files. However, changing the algorithm on demand means that the malware won't be identified.

    "This is a new capability that didn't exist before," Raff said. "This capability allows the attacker to bypass sandbox technology."

    Hackers working for a nation-state targeting specific entities, such as government agencies, think tanks or international corporations, would use this type of malware, according to Raff. Called advanced persistent threats, these hackers tend to use sophisticated attack tools.

    An exploit kit that served five different malware types was used in compromising two servers of PHP.net, a site for downloads and documentation related to the PHP general-purpose scripting language used in Web development. Google spotted four pages on the site serving malicious JavaScript that targeted personal computers, but ignored mobile devices.

    The attack was noteworthy because of the number of visitors to PHP.net, which is in the top 250 domains on the Internet, according to Alexa rankings.

    To defend against DGA.Changer, companies would need a tool that looks for abnormal behavior in network traffic. The malware tends to generate unusual traffic by querying lots of domains in search of the one leading to the C&C server.

    "Because this malware will try to go to different domains, it will generate suspicious traffic," Raff said.

    Seculert did not find any evidence that would indicate who was behind the PHP.net attack.

    "This is a group that's continuously updating this malicious software, so this is a work in progress," Raff said.


    Source:
    http://www.networkworld.com/news/2013/121913-unique-malware-evades-277089.html?source=nww_rss
     
    starbuck, Jan 1, 2014
    #1

Share This Page