I've read about malware that attempts to avoid automated analysis by antivirus programs by waiting to run malicious...
code until user input (the mouse) is active. Could you provide some info on these malware evasion techniques? Should I be concerned that my antivirus product isn't picking up on such threats?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
As the war against malware continues to evolve, malware developers are increasingly using professional software development methods and continue adding in new evasion techniques to prevent their malware from being detected. Malware writers have included antivirtual machine detection in their tool chests since at least 2006 to prevent researchers from analyzing their malware and developing signatures for detection and prevention. Automated anti-malware tools also use virtual machines for analysis to block the malware. Some malware is now checking for mouse activity to prevent analysis. As an example of why such techniques could be valuable to attackers, malware could check to confirm it can reach the command-and-control infrastructure prior to activation.
Endpoint anti-malware tools do not necessarily need to detect if there is mouse activity while checking for malware, but the researchers at the anti-malware vendors need to be able to analyze the malware to develop signatures or methods to detect the malware. Once a signature or detection method is created, it can be used to prevent malware from potentially executing on the endpoint before checking for mouse activity. If the anti-malware research teams are not picking up on these threats, enterprises should be concerned because that would call the endpoint security tool into question if it can't adapt to detect new attacks. Enterprises may want to investigate alternative anti-malware products or other endpoint security tools (e.g., whitelisting) that could detect or prevent malicious code from running on an endpoint.
Related Q&A from Nick Lewis, Enterprise Threats
Chameleon malware targets insecure wireless access points. Enterprise threats expert Nick Lewis explains how to defend against the malware.continue reading
The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. ...continue reading
Enterprise threats expert Nick Lewis explains how to detect and avoid one of the most advanced malware threats: The Mask.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.