Researchers at FireEye’s Malware Intelligence Lab say they’ve found malware that attempts to evade detection with extended sleep calls and uses “the fast flux technique” to hide the attacker’s identity.
They are calling the malicious downloader “Trojan Nap” and notes it uses a technique akin to the malware used in the recent New York Times breach in which university computer were manipulated to continually churn out different IP addresses from around the globe, making the correct one more difficult to find.
By using extended sleep calls — up to 10 minutes versus the normal seconds, according to VentureBeat — the trojan avoids tripping automated analysis systems that otherwise would capture its behavior.
“Using a long sleep is a classic technique used to stay under the radar of an automated analysis system,” write FireEye security researchers Abhishek Singh and Ali Islam in a blog post. “In addition to extended sleep calls to evade automated analysis, we have observed many techniques, like hooking to a mouse, that are actively being employed by the advanced active malwares.”
The researchers provide technical details showing how Nap’s infiltration. Once it’s in, the malware installs a data-stealing file called newbos2.exe.
“In the near future we expect to see malware employing automated analysis evasion techniques combined with network evasion techniques to evade detection,” the pair write.