I've read about malware that attempts to avoid automated analysis by antivirus programs by waiting to run malicious...
code until user input (the mouse) is active. Could you provide some info on these malware evasion techniques? Should I be concerned that my antivirus product isn't picking up on such threats?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
As the war against malware continues to evolve, malware developers are increasingly using professional software development methods and continue adding in new evasion techniques to prevent their malware from being detected. Malware writers have included antivirtual machine detection in their tool chests since at least 2006 to prevent researchers from analyzing their malware and developing signatures for detection and prevention. Automated anti-malware tools also use virtual machines for analysis to block the malware. Some malware is now checking for mouse activity to prevent analysis. As an example of why such techniques could be valuable to attackers, malware could check to confirm it can reach the command-and-control infrastructure prior to activation.
Endpoint anti-malware tools do not necessarily need to detect if there is mouse activity while checking for malware, but the researchers at the anti-malware vendors need to be able to analyze the malware to develop signatures or methods to detect the malware. Once a signature or detection method is created, it can be used to prevent malware from potentially executing on the endpoint before checking for mouse activity. If the anti-malware research teams are not picking up on these threats, enterprises should be concerned because that would call the endpoint security tool into question if it can't adapt to detect new attacks. Enterprises may want to investigate alternative anti-malware products or other endpoint security tools (e.g., whitelisting) that could detect or prevent malicious code from running on an endpoint.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Kaspersky researchers found a new Android malware that can physically harm phones. Learn how this works and the steps to mitigate the attack with ... Continue Reading
The Zealot campaign discovered by F5 Networks uses the same Apache Struts vulnerability exploited in the Equifax breach. Learn how else it performs ... Continue Reading
Facebook Messenger is being used to reach more victims with a cryptojacking bot that Trend Micro researchers named Digimine. Learn how this bot works... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.