UpClicker Trojan Aims to Foil Automated Analysis
A simple yet effective technique continues malware writers' campaign to slow down the automated detection of their malicious programs.Just as security firms look for new ways to slow down attackers, the bad guys seek out ways to hinder defenders' efforts to analyze and react to the latest malicious binaries. Past efforts include programming the malware to look for the telltale signs that it is running in a virtual environment—the typical platform for analysis—or to use different encryption techniques to lock the binary to a specific machine. Yet a new Trojan shows that relatively low-tech efforts can also be successful. A malicious program known as UpClicker looks for the simplest of signs to determine if it's being run on a human-controlled machine: A mouse click. In an analysis of the UpClicker Trojan, threat-protection firm FireEye found that the technique works surprisingly well. "In the case of automated analysis, we run the files in a virtual machine, and there is no human interaction," said Abhishek Singh, senior malware research engineer with FireEye. "They went to a very specific thing, where, unless the mouse button is released, it won't do anything. So it provides a bit of a challenge for the sandboxed systems." Anti-malware and antivirus firms must crunch through nearly a million new malware variants every day, so any technique that delays detection of malicious software can have a dramatic impact, according to security firm Symantec. Typically, the machines run for less than 30 minutes and include no human interaction.
When it infects the system, the UpClicker Trojan binds itself to the mouse process and then hibernates until the left mouse button is released. Since the system event will not happen unless a human is interacting with the system—or security researchers emulate such an interaction—any analysis environment will not see any malicious behavior, and the code will not be flagged for further investigation.