New Trojan Bypasses Detection with Manipulated Mouse Click

One fresh Trojan has been discovered that evades detection as it remains dormant till it gets commands for execution while infects the target computer. All this, however, nullifies soon as the computer-user clicks his mouse on the left, published searchsecurity.techtarget.com dated December 14, 2012.

Prior to the mentioned Trojan, a particular malware was analyzed which concealed itself via special mouse-click manipulations. Based on that the latest study has been built, state security investigators at FireEye Inc. The investigators believe that cyber-criminals, by making one move ahead, have increased the efficacy of the Trojan towards bypassing anti-malware detections. The Trojan also elongates security firms' time-period for writing signatures that would spot the malware.

Notably, after analyzing the Trojan dubbed 'Upclicker,' FireEye's security experts discovered that it firmly attached itself to certain procedure code, which became active as the computer-user clicked the mouse on the left. The click every time unleashed malware, wrote Yasir Khalid and Abhishek Singh security researchers at FireEye in a blog post.

Khalid and Singh elaborated on the way Upclicker utilized the "OEh" factor along with the "SetWinodwsHookExA" function for manipulating the mouse while following the latter's movements. When the mentioned click occurred, it started off the "UnhookWindowsHookEx" task for releasing the Trojan following which a summon for the sub_401170() task happened that eventually executed the Trojan, they indicated.

They further said that inside the Internet Explorer web browser, Upclicker initiated certain Domain Name System (DNS) response intended for the sendmsg.jumpingcrab.com URL, while it opened a malevolent interaction route via destination ports 443 and 80.

Meanwhile as per the duo's speculation, further malicious programs similar to Upclicker were on the run.

The two blogged that the conclusion from Upclicker's study was thus: it started the malevolent interaction solely following the mouse click. Moreover, as within sandboxes, mouse communication was absent, Upclicker's harmful acts lied in wait inside such a platform.

Moreover, according to FireEye, anti-virus vendors usually use automated sandbox assessment for treating huge volumes of samples. For bypassing this assessment, additional samples may emerge which will rely either on particular hits on keyboard, particular mouse-clicks, else dragging of mouse over specified area.

Related article: New Spam Mail Charges For IPod

» SPAMfighter News - 12/22/2012