Researchers Discovery Data-Stealing Malware That Likes to Nap

Researchers at FireEye’s Malware Intelligence Lab say they’ve found malware that attempts to evade detection with extended sleep calls and uses “the fast flux technique” to hide the attacker’s identity.

Researchers at FireEye’s Malware Intelligence Lab say they’ve found malware that attempts to evade detection with extended sleep calls and uses “the fast flux technique” to hide the attacker’s identity.

They are calling the malicious downloader “Trojan Nap” and notes it uses a technique akin to the malware used in the recent New York Times breach in which university computer were manipulated to continually churn out different IP addresses from around the globe, making the correct one more difficult to find.

By using extended sleep calls — up to 10 minutes versus the normal seconds, according to VentureBeat — the trojan avoids tripping automated analysis systems that otherwise would capture its behavior.

“Using a long sleep is a classic technique used to stay under the radar of an automated analysis system,” write FireEye security researchers Abhishek Singh and Ali Islam in a blog post. “In addition to extended sleep calls to evade automated analysis, we have observed many techniques, like hooking to a mouse, that are actively being employed by the advanced active malwares.”

The researchers provide technical details showing how Nap’s infiltration. Once it’s in, the malware installs a data-stealing file called newbos2.exe.

“In the near future we expect to see malware employing automated analysis evasion techniques combined with network evasion techniques to evade detection,” the pair write.

Suggested articles

Discussion

  • Anonymous on

    There is absolutely no connection between this malware and the malware used in the NY Times hack. This malware is NOT an APT. It is a Waledac botnet. This is misleading people on the New York Times hack.

  • Anonymous on

    I think FireEye researchers have also said that there is no connection except the conincidence that the two malware use the same fast flux technique.

     

  • Anonymous on

    Yes, that's what they meant - the connection was in the technique to change IP addresses  and not in the malware itself.

  • Anonymous on

    Ok then why did they even mention it? They are misleading people.

  • Anonymous on

    So many types of malware use domain fluxing, so throwing that it changes IP's like X malware is just someone trying to get attention. It's sad really...
  • Emponcona on

    . . .

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.