LAS VEGAS — The group behind the DGA Changer downloader has been pretty adept in modifying the malware to elude sandbox detection in particular.
Researchers at Seculert today published a report on the latest twist to DGA Changer, which now is able to generate a fake stream of domains if it detects it’s being executed in a virtual machine, a hallmark of security analysis.
“If it’s in a sandbox, the malware is looking for specific hard drive or disk artifacts within the registry. So once it identifies that it’s not in a real environment, but in VMware or VBox, it will instead of generating a real stream of domains to communicate with, it will generate a fake stream,” said Seculert chief technology officer Aviv Raff said here at the Black Hat conference. “The sandboxes don’t know the actual stream being used.”
Perhaps more interesting is that the attackers have registered some of the domains generated by the phony stream, and provide instead a dummy executable that does nothing but exit, Raff said.
Domain generation algorithms have been used by botnets for a long time as an evasion technique. The algorithms generate, in some cases on the fly, a list of new domains to use for communication with the attackers’ infrastructure. This avoids using a static list of domains that would be a sitting duck for analysts to spot.
“This is a first where it’s generating a fake DGA,” Raff said. “If people are looking at the malware and reversing it, or looking at dynamic analysis of the malware and run it for a long time, it doesn’t work because it’s not generating real domains.”
DGA Changer and its variants are for sale in cybercrime forums; this variant was spotted six months ago by a Seculert, Raff said.
DGA Changer, in 2013, was the tool used in an attack against PHP.net. The version of DGA Changer at that time was adapted to receive commands from botmasters that changes the seed it used to generate domains.
“Once the bots receive a command to update their seed, each of them can connect to a different stream of domain names,” Raff wrote in a report at the time. “As a result, they’re extremely difficult to detect by traditional security methods (i.e. those that only use a sandbox), since the initial sample will reveal the domain name streams before the change — which no longer resolve to the C2 server.”
DGA, while effective, is only effective as long as it evades detection. Attackers have been trying to up their DGA game with twists such as this one or one used by the Matsnu botnet, whose DGA pulled nouns and verbs from a list of more than 1,000 words to form domains that are 24-character phrases. A human analyst looking at a log of domains might not blink at domains constructed of real words, rather than the gibberish most DGAs generate.
“It’s a cat and mouse game,” Raff said. “They do something, we catch it, or try to predict what they’ll do in advance and build stuff that detects it before they put those practices in place.”