Modified DGA Changer Malicious Program Evades Sandbox Detection

According to investigators at Seculert the security company, the criminal gang responsible for the DGA Changer installer, well-known for its notoriety, made alterations to the malware so it may evade sandbox detection.

In one new report by Seculert, it has been described how DGA Changer currently produces one false series of domains in case the malware finds itself getting run on a virtual system.

According to Aviv Raff Chief Technology Officer at Seculert, when the DGA Changer exists inside a sandbox, it means it's searching disk artifacts inside registry alternatively a particular hard drive. Thus, if the malware finds itself inside VBox or VMware instead of any real environment, it won't produce the real series of domains for communication rather it will produce one false series of domains. Indeed, the sandbox remains unaware of the real series getting utilized, Raff says. Threatpost.com reported this dated August 6, 2015.

Raff further says that probably the more fascinating fact is about cyber-criminals registering a few of the falsely produced domains followed with supplying a rather copycat executable, which merely exists doing nothing.

In the meantime, it was in February that the modified DGA.Changer's foremost variant got identified; however, many iterations got issued from that time on, each having separate phony as well as early seeds.

Raff explains that the modified DGA.Changer edition's discovery once again shows how prevention strategies with 'sandbox only' are not enough while there is need for adding to them detection methods based on post-infection analytics. According to him, within the cyber-security world of cat and mouse chase, cyber-criminals keep on adapting to latest protection mechanisms, therefore, security professionals engaged in cyber-threat defense operations too should keep on adapting. Securityweek.com reported this dated August 7, 2015.

DGA.Changer isn't the sole malicious program which demonstrates clever DGA technique. Trojan Rovnix's DGA produces domains for its CnC (command-and-control) utilizing arbitrary words from the GNU Lesser General Public License and United States Declaration of Independence documents.

Similarly, Trojan Matsnu produces domain names with 24 characters that include verbs and nouns the attacker enters alternatively taken from certain specified catalog of the words.

» SPAMfighter News - 8/19/2015