PHP Website Hacked with Highly Unusual Malware

Arstechnica.com reported on 18th December, 2013 stating that some security experts have discovered evidence proving exposition of some visitors to a highly unusual malware, if not unique, after eight weeks of compromising of the certified PHP web site php.net and maligned it with malware by hackers.

Seculert, based in Israel, said that an estimated 6,500 machines are tainted by DGA.Changer which is a malware whose only work is to secretly download other malicious software into hijacked systems.

One of the five types of distinct malware handed out to users of php.net during 22nd October (2013) to 24th October (2013) DGA.Changer uses a new way of dodging discovery and bringing down attempts. Similar to previous 'Trojans' fitted with domain-generation algorithms, DGA.Changer can create on-the-fly modifications to the C2 (command-and-control) domain names which tainted machines contact to drive data and receive commands.

After inspecting a new machine, the DGA.Changer sends a variety of data back to attackers including the OS information, edition of Adobe Flash operating, DGA seed, on the machine even if the malware is operating in a virtual machine.

Threatpost.com reported on 18th December, 2013 quoting Aviv raff, CTO of Seculert as saying "After digging into the malware used in the PHP.net attack, it appears that the malware also uses some more extensive attack."

Raff said, "We have first noticed the capability of DGA changing on the same day of the attack on php.net but there may have been diverse options of this malware without this new-fangled method employed by the same criminals beforehand. Apparently, this is a pay-per-install service that in place of selling by region, targets specific organizations."

Researchers of Seculert said that there are DGA.Changer infections around the world with most of them found in the US. What DGA.Changer does in future remains a question mark, however, experts say that the potentiality to change the DGA seed indicates more to come.

Companies would need a tool which looks for abnormal behavior in network traffic to defend against DGA.Changer. The malware has a tendency to produce strange traffic by inquiring lots of domains in hunt of the one that directs to the C&C server.

» SPAMfighter News - 12/26/2013