Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

'Sleeper' malware like Nap Trojan nothing new

Taylor Armerding | Feb. 8, 2013
New malware uses common technique to avoid automated analysis, security experts say.

Bogdan "Bob" Botezatu, a senior e-threat analyst at Bitdefender, says it is a matter of efficiency. Antivirus emulators and automated analysis systems are designed not to waste CPU cycles and resources, he said. "They are designed to handle tens of thousands of possibly malicious samples, and can't afford to wait on a file that apparently does nothing."

So it is not something that will change overnight. "There is no reasonable way to circumvent this unless the automated system is willing to trade efficiency," Botezatu said.

But Singh said he thinks automated systems "should have evolved to ensure that malware should not be able to use extended sleep calls to bypass capturing of its behavior."

Antonakakis said antivirus product makers should be up to speed. "[They] should be paying attention to the network behavior and the ecosystem around Internet threats," he said. "Binaries employ several different obfuscation techniques, so tracking them in the context of botnets is extremely hard."

However, he said that, based on previous analysis of this malware from the community and according to his company's own datasets, they believe that this this threat is related to the Kelihos botnet. "We believe that the downloader being used is just one component in this campaign," Antonakakis said.

Singh said automated systems are still the fastest way to determine the nature of a file. "But besides capturing the behavior, automated analysis systems should have techniques such that they cannot be evaded," he said.

Antonakakis said: "Let's put it another way: If you rely on seeing the malware, you have already lost the war."


Previous Page  1  2 

Sign up for Computerworld eNewsletters.