A new Trojan horse is shielding itself from detection by waiting to execute commands and infect a system until...
the victim makes a left mouse click.
Until the left mouse button is released, the code will remain dormant making it immune from automated analysis by a sandbox.
The new research builds on previous analysis of malware that hides itself by using mouse processes. Researchers at FireEye Inc. say cybercriminals are taking it a step further, making the malware more effective at evading detection by antimalware technologies. It also lengthens the time it takes for security vendors to create signatures detecting the malware.
The FireEye team analyzed Trojan Upclicker and found it hooking into procedure code that is initiated when the user makes a left mouse click. Each left mouse click will unhook malicious code, said Fire Eye researchers Abhishek Singh and Yasir Khalid in a blog entry about the Upclicker malware analysis.
"Until the left mouse button is released, the code will remain dormant making it immune from automated analysis by a sandbox," the researchers said.
Each step advances the infection process, opening Explorer for code injection and establishing malicious communication. "Since in sandboxes, there is no mouse interaction, the malicious behavior of Upclicker remains dormant in a sandbox environment," the researchers said.
Remaining dormant in sandbox environments is an attack technique that makes it more difficult for antivirus vendors and other security technologies to detect and create signatures for products designed to detect the malware. The researchers said they anticipate more malware using the technique to evade automated analysis.
In November, researchers at Symantec analyzed a remote access Trojan that evades detection using mouse functions. Symantec explained that the technique is becoming very common. Malware and packer program authors use various techniques to hide malicious files from automated threat analysis systems.