Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

'Sleeper' malware like Nap Trojan nothing new

Taylor Armerding | Feb. 8, 2013
New malware uses common technique to avoid automated analysis, security experts say.

Some malware designers hope to catch their victims unaware, or "sleeping." The makers of the Trojan Nap hope to snare them by having their creation go to sleep itself.

But several security experts say that is nothing new. They criticized a blog post earlier this week by FireEye security researchers Abhishek Singh and Ali Islam, who said they had discovered "a stealthy malware that employs extended sleep calls to evade automated analysis systems (AAS) capturing its behavior."

They said Trojan Nap also uses "fast flux technique" to hide the identity of the attackers, which is similar to the behavior of the malware used to attack The New York Times. In that case, a university computer was manipulated to use different IP addresses from around the world, making it more difficult to find the correct one and block the source of the attack or even identify a clear pattern of malicious activity.

"Botnets have been using fluxing techniques for years in order to evade statically compiled black lists," said Manos Antonakakis, senior director of research at Damballa Labs."Also, anti-VM analysis techniques are a common phenomenon in the current malware landscape. [And] evading signature and dynamic analysis systems is not particularly hard at this point."

Antonakakis was also critical of the comparison to the attack onThe Times without first providing explicit and extensive forensic evidence. "It's irresponsible, it creates problems for the global security community and makes the future data sharing efforts between security companies harder, if not impossible," he said.

The Trojan Nap is " a commodity botnet -- the malware is not overly sophisticated," he added.

Amrit Williams, CTO at Lancope, said, "Malware using automated analysis and network evasion techniques isn't new or even that rare. Zeus, which was continually evolving, used several techniques to evade monitoring tools, including the Windows firewall."

Singh and Islam did call the Trojan Nap a "classic technique used to stay under the radar of an automated analysis system." And Singh told CSO Online on Wednesday that, like others, "we have been observing extended sleep calls in other malwares also for quite some time."

They reported that after the malicious code gets executed, it sends an HTTP request to the domain "" requesting the file "newbos2.exe."

It is then programmed to take a 600,000 millisecond, or 10-minute, timeout. "Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior," Singh and Islam wrote.

Depite being a classic technique, the automated analysis systems industry has not developed ways to sniff it out.


1  2  Next Page 

Sign up for Computerworld eNewsletters.