Finding keen new ways to avoid detection by security systems, malware scanners in particular, seems to be a primary objective for malware writers.
Researchers at FireEye have found one of the most ingenious, a Trojan called Upclicker that eludes automated sandbox detection by hooking into a mouse click.
Upclicker is a backdoor that only comes to life after a user clicks and releases the left mouse button, FireEye researchers Abhishek Singh and Yasir Khalid wrote.
“Since, in sandboxes, there is no mouse interaction, the malicious behavior of Upclicker remains dormant in a sandbox environment,” they said.
Sandboxes are isolated environments where suspicious code is executed out of harm’s way. If it’s malicious, the code is blocked, otherwise, the process proceeds. Antimalware software is deploying sandboxing technology more and more as part of their core offerings. Some largely deployed applications such as Adobe Reader and Flash, as well as Java, also have sandbox capabilities.
“To evade automated analysis, we expect to see more such samples that can use a specific aspect like pressing specific keys, specific mouse buttons, or movement of the mouse a certain distance to evade the automated analysis,” the researchers said.
More malware is appearing with built-in evasion techniques. Encryption packers are longstanding tactic used by attackers to increase the viability of malicious code. Conficker, for example, was able to detect if it was opened in a virtual machine, which would indicate it was opened in a test and not a production environment, and would not execute.
Of late, financial malware known as Shylock was discovered to have the ability to detect whether it was being executed on a computer over remote desktop protocol. Researchers use RDP often to study malware samples stored in remote locations; Shylock would not install if it detects an RDP connection.
Symantec conducted some research into the lengths malware would take to avoid detection, and did some similar work on malware using the mouse to hide.
“If malware stops itself when it detects that it is running in a virtual environment, it may trick an automated threat analysis system into thinking that it is a clean program. It is also able to stop itself if it discovers a certain process name and detects that someone is monitoring it,” said Symantec’s Hiroshi Shinotsuka. “So malware may not only fool automated threat analysis systems, but also a corporate system administrator who is searching for computers compromised by malware.”
The malware writer is depending on the fact that an automated detection system doesn’t use mouse clicks. If it only executes when the mouse is clicked or moved, a normal user movement on Windows system for example, it would remain quiet all other times and a detection system could miss it.
With Upclicker, once it executes, it injects code in Windows Explorer and eventually establishes a backdoor channel where further commands await.