In what is no doubt an embarrassing security breach, PHP.net, the official website of the PHP programming language, was compromised temporarily by hackers. Having a server compromised is not a particularly rare occurrence in the modern digital era, although as the flagship site of the PHP language, it must be particularly galling - as well as being a potent cautionary tale for PHP programmers everywhere. After all, if it can happen there, it can happen anywhere.The attack, which compromised the site for nearly 3 days in October, was intended to force users who visited the site to download and execute some malicious code - also not particularly uncommon in this day and age. More recently, however, security researchers were analyzing the payload that was downloaded to user's machines, and found it to be a highly specific and potentially unique piece of malware dubbed DGA.Changer, which employs sophisticated techniques to evade detection and maintain links with command and control systems, for the purpose of downloading other pieces of malware to the infected machines which would otherwise be caught and removed.
Here's where things get curious, though: the machines infected by DGA.Changer from the PHP.net attack don't seem to be downloading other pieces of malware. There have been no reported cases of additional malware downloads in the wild, and security researches are concerned that something more complex is at work - the digital equivalent of the 'long con', perhaps. Aviv Raff, CTO and security researcher at Seculert writes, "Our analysis at this point is that 'no news is bad news.' Why would adversaries deploy a malware which downloads nothing, on a site used by software developers, and then engineer it so that it can receive commands from a C2 server to change the DGA seed? It makes no sense—and that [is] worrisome. Not all adversaries are geniuses, but they typically have an agenda."
The current running theory is that PHP.net was targeted because it has a very high probability of being visited by PHP programmers who are working on high-value projects that may not even be released yet, giving whoever holds the keys to DGA.Changer a very valuable pool of potential targets. While there seems to be no activity or damage caused as a result of the attack, the possibility that someone is specifically targeting PHP programmers rather than average users is a disturbing trend that should have every developer concerned - and ensuring their antivirus definitions are up-to-date and working properly.
