News

Crafty click fraud Trojan uses left mouse click to evade detection

Robert Westervelt, News Director

A new Trojan horse is shielding itself from detection by waiting to execute commands and infect a system until the victim makes a left mouse click.

    Requires Free Membership to View

Until the left mouse button is released, the code will remain dormant making it immune from automated analysis by a sandbox.

FireEye Inc.

The new research builds on previous analysis of malware that hides itself by using mouse processes. Researchers at FireEye Inc. say cybercriminals are taking it a step further, making the malware more effective at evading detection by antimalware technologies. It also lengthens the time it takes for security vendors to create signatures detecting the malware.

The FireEye team analyzed Trojan Upclicker and found it hooking into procedure code that is initiated when the user makes a left mouse click. Each left mouse click will unhook malicious code, said Fire Eye researchers Abhishek Singh and Yasir Khalid in a blog entry about the Upclicker malware analysis.

"Until the left mouse button is released, the code will remain dormant making it immune from automated analysis by a sandbox," the researchers said.

First detected in 2011, Trojan Upclicker was designed to aid cybercriminal click fraud campaigns, attempting to connect to specific websites and inflate visit counters for specific pages. 

Each step advances the infection process, opening Explorer for code injection and establishing malicious communication. "Since in sandboxes, there is no mouse interaction, the malicious behavior of Upclicker remains dormant in a sandbox environment," the researchers said.

Remaining dormant in sandbox environments is an attack technique that makes it more difficult for antivirus vendors and other security technologies to detect and create signatures for products designed to detect the malware. The researchers said they anticipate more malware using the technique to evade automated analysis.

In November, researchers at Symantec analyzed a remote access Trojan that evades detection using mouse functions.  Symantec explained that the technique is becoming very common. Malware and packer program authors use various techniques to hide malicious files from automated threat analysis systems.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: