UpClicker Trojan Aims to Foil Automated Analysis

 
 
By Robert Lemos  |  Posted 2012-12-20
 
 
 

Just as security firms look for new ways to slow down attackers, the bad guys seek out ways to hinder defenders' efforts to analyze and react to the latest malicious binaries. Past efforts include programming the malware to look for the telltale signs that it is running in a virtual environment—the typical platform for analysis—or to use different encryption techniques to lock the binary to a specific machine.

Yet a new Trojan shows that relatively low-tech efforts can also be successful. A malicious program known as UpClicker looks for the simplest of signs to determine if it's being run on a human-controlled machine: A mouse click. In an analysis of the UpClicker Trojan, threat-protection firm FireEye found that the technique works surprisingly well.

"In the case of automated analysis, we run the files in a virtual machine, and there is no human interaction," said Abhishek Singh, senior malware research engineer with FireEye. "They went to a very specific thing, where, unless the mouse button is released, it won't do anything. So it provides a bit of a challenge for the sandboxed systems."

Anti-malware and antivirus firms must crunch through nearly a million new malware variants every day, so any technique that delays detection of malicious software can have a dramatic impact, according to security firm Symantec. Typically, the machines run for less than 30 minutes and include no human interaction.

When it infects the system, the UpClicker Trojan binds itself to the mouse process and then hibernates until the left mouse button is released. Since the system event will not happen unless a human is interacting with the system—or security researchers emulate such an interaction—any analysis environment will not see any malicious behavior, and the code will not be flagged for further investigation.

Once it does run, UpClicker creates a process called "Opera"—the name of a well-known Web browser—and then establishes a secure communications channel to a command-and-control server on the Internet. After that step, the attackers can install additional components to tailor the Trojan to their needs.

Previously, programs such as Flashback, which infected hundreds of thousands of Mac systems, and Gauss, a suspected nation-state attack, demonstrated more technical methods for avoiding analysis. Each attack used encryption to bind itself to a specific machine to avoid being decrypted in a virtual analysis environment. Without knowing the specific attributes used to create the encryption key, defenders would not be able to unscramble the payload for analysis unless they could exactly emulate the targeted system.

Such techniques require technical acumen to pull off well, while the simple methods used by UpClicker do not.

Both FireEye and Symantec point out that such attacks—both the technical and simplistic—will only become more common as attackers attempt to evade analysis while keeping their programs stealthy to avoid detection.

"We expect to see more such samples that can use a specific aspect like pressing specific keys, specific mouse buttons, or movement of the mouse a certain distance to evade the automated analysis," Singh and his colleague, Yasir Khalid, wrote in their report.

Editor's Note: This story has been updated with the full name of the FireEye senior malware research engineer, which was left out of the originally published version.

Rocket Fuel