Skip Links

'Sleeper' malware like Nap Trojan nothing new

New malware uses common technique to avoid automated analysis, security experts say

By Taylor Armerding, CSO
February 07, 2013 08:31 AM ET

CSO - Some malware designers hope to catch their victims unaware, or "sleeping." The makers of the Trojan Nap hope to snare them by having their creation go to sleep itself.

But everal security experts say that is nothing new. They criticized a blog post earlier this week by FireEye security researchers Abhishek Singh and Ali Islam, who said they had discovered "a stealthy malware that employs extended sleep calls to evade automated analysis systems (AAS) capturing its behavior."

[ALSO: The future of malware]

They said Trojan Nap also uses "fast flux technique" to hide the identity of the attackers, which is similar to the behavior of the malware used to attack The New York Times. In that case, a university computer was manipulated to use different IP addresses from around the world, making it more difficult to find the correct one and block the source of the attack or even identify a clear pattern of malicious activity.

"Botnets have been using fluxing techniques for years in order to evade statically compiled black lists," said Manos Antonakakis, senior director of research at Damballa Labs."Also, anti-VM analysis techniques are a common phenomenon in the current malware landscape. [And] evading signature and dynamic analysis systems is not particularly hard at this point."

Antonakakis was also critical of the comparison to the attack on The Times without first providing explicit and extensive forensic evidence. "It's irresponsible, it creates problems for the global security community and makes the future data sharing efforts between security companies harder, if not impossible," he said.

The Trojan Nap is "a commodity botnet -- the malware is not overly sophisticated," he added.

Amrit Williams, CTO at Lancope, said, "Malware using automated analysis and network evasion techniques isn't new or even that rare. Zeus, which was continually evolving, used several techniques to evade monitoring tools, including the Windows firewall."

Singh and Islam did call the Trojan Nap a "classic technique used to stay under the radar of an automated analysis system." And Singh told CSO Online on Wednesday that, like others, "we have been observing extended sleep calls in other malwares also for quite some time."

They reported that after the malicious code gets executed, it sends an HTTP request to the domain "wowrizep.ru" requesting the file "newbos2.exe."

It is then programmed to take a 600,000 millisecond, or 10-minute, timeout. "Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior," Singh and Islam wrote.

[Bill Brenner in the Salted Hash blog: 40 years after the first computer virus]

Depite being a classic technique, the automated analysis systems industry has not developed ways to sniff it out.

Bogdan "Bob" Botezatu, a senior e-threat analyst at Bitdefender, says it is a matter of efficiency. Antivirus emulators and automated analysis systems are designed not to waste CPU cycles and resources, he said. "They are designed to handle tens of thousands of possibly malicious samples, and can't afford to wait on a file that apparently does nothing."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News