Sandbox Evading Malware Just a Mouse Click Away

Anthony Freed
By | December 17, 2012

Posted in: Network Security Trends

With millions of new pieces of potentially malicious code to be examined every day, it is impossible for malware researchers to manually analyze every sample that comes their way. Thus, it is necessary to employ automated threat analysis systems to allow more suspicious code to be examined and aid in determining which samples merit inclusion in antivirus software updates. The problem is that malware designers are more often engaging in tactics that allow malicious code to go undetected by automated systems through the use of hooking techniques that allow code to remain dormant in virtual environments like sandboxes and subsequently evade detection. Such is the case with the recently identified Upclicker Trojan, which hides behind subroutines governing mouse control functions.

"From the analysis it is concluded that the Trojan Upclicker establishes malicious communication only when the left mouse button is clicked and released. Since, in sandboxes, there is no mouse interaction, the malicious behavior of Upclicker remains dormant in a sandbox environment," FireEye researchers Abhishek Singh and Yasir Khalid wrote.

These forms of malware have the ability to evade detection by taking advantage of operating system hooks, which allow applications to install a subroutine that monitors the operating system for a prompt to activate. The malware simply utilizes a "wait" hook in order for the malicious code to remain idle until it is activated by a user's action, in this case a left click on the mouse.

Researchers with Symantec had also recently identified a remote access Trojan (RAT) that evades automated detection systems by masking itself until activated by routines that are used by the mouse, similarly allowing the malicious code to remain undetected by automated analysis.

"If malware can hide itself from automated threat analysis systems, it can blend in with millions of sample files and antivirus applications may not be able to figure out that it is malicious. Therefore, both malware and packer program authors attempt to utilize techniques to hide malicious files from automated threat analysis systems," wrote Symantec's Hiroshi Shinotsuka.

Though the technique of hooking is not new, Singh and Khalid said they expect to see an increase in malware that "can use a specific aspect like pressing specific keys, specific mouse buttons, or movement of the mouse a certain distance to evade the automated analysis."

The solution? Any sample of code that is seen to be using hooks should be subject to manual analysis, but this is unlikely to occur since there is simply not enough expert malware analysts available to conduct such thorough examinations given the sheer number of potential samples that would need to be checked. For now, we just have to be content with the fact that we know it's occurring, even if we can't really do much about it.

You May Also Be Interested In: