Trojan Nap Employs Extended Sleep Calls to Neglect Detection by FireEye

According to researchers at FireEye's malware Intelligence Lab, a new malware, known as "Trojan Nap" has been tracked. This malware tries to escape detection with prolonged sleep calls and utilize the "fast flux technique" to escape the attacker's identity.

Fortunately, the Trojan uses a method similar to the malware employed in the last New York Times breach in which, university computer were modified to incessantly churn out various IP addresses from throughout the globe, making the correct one more complicated to discover.

Through prolonged sleep calls - till 10 minutes against the normal few seconds, the Trojan neglect tripping automated examining systems that would otherwise confine its attitude.

FireEye Security Researchers, Abhishek Singh and Ali Islam in a recent blog writes that by using a classic technique of long sleep, one can stay under the radar of an automated analysis system as reported by blog.fireeye.com on February 5, 2013. Further, besides extended sleep calls to escape automated analysis, many techniques, like hooking to a mouse that are vigorously being utilized by the updated active malwares had been observed.

The researchers offer technical information displaying the method by which Nap's infilteration once it's in inside the malware installs a data-stealing file called newbos2.exe.

In the coming times, we anticipate observing the malware using automated analysis evasion methods combined with the network evasion method to escape detection, the pair says.

Amrit Williams, CTO at Lancope, claims that "Malware through automated analysis and network evasion methods is not new or even that not common. Zeus, which was coming, used many methods to evade monitoring tools, along with windows firewall,' as per the news said by pcadvisor.co.uk dated February 7, 2013.

Senior Director of Research at Damballa Labs Manos Antonakakis, said that antivirus product makers should gain rapid speed. They should be concerned to the network behavior and the ecosystem surrounding the Internet threats, he said. Binaries use many other obfuscation techniques, so tracking is them is difficult and out of reach, as available in pcadvisor.co.uk on February 7 February 2013.

This isn't the first type of malware that uses such techniques to conceal its presence. Back in December 2012, FireEye experts discovered a Trojan, dubbed Upclicker, which leveraged the mouse hooking function to evade sandbox environments.

Related article: Trojans Attack For Ransom

» SPAMfighter News - 2/14/2013