‘Sleeper’ malware like Nap Trojan nothing new

Some malware designers hope to catch their victims unaware, or “sleeping.” The makers of the Trojan Nap hope to snare them by having their creation go to sleep itself.

But everal security experts say that is nothing new. They criticized a blog post earlier this week by FireEye security researchers Abhishek Singh and Ali Islam, who said they had discovered “a stealthy malware that employs extended sleep calls to evade automated analysis systems (AAS) capturing its behavior.”

They said Trojan Nap also uses “fast flux technique” to hide the identity of the attackers, which is similar to the behavior of the malware used to attack The New York Times. In that case, a university computer was manipulated to use different IP addresses from around the world, making it more difficult to find the correct one and block the source of the attack or even identify a clear pattern of malicious activity.

“Botnets have been using fluxing techniques for years in order to evade statically compiled black lists,” said Manos Antonakakis, senior director of research at Damballa Labs.”Also, anti-VM analysis techniques are a common phenomenon in the current malware landscape. [And] evading signature and dynamic analysis systems is not particularly hard at this point.”

Antonakakis was also critical of the comparison to the attack on The Times without first providing explicit and extensive forensic evidence. “It’s irresponsible, it creates problems for the global security community and makes the future data sharing efforts between security companies harder, if not impossible,” he said.

The Trojan Nap is “a commodity botnet — the malware is not overly sophisticated,” he added.

Amrit Williams, CTO at Lancope, said, “Malware using automated analysis and network evasion techniques isn’t new or even that rare. Zeus, which was continually evolving, used several techniques to evade monitoring tools, including the Windows firewall.”

Singh and Islam did call the Trojan Nap a “classic technique used to stay under the radar of an automated analysis system.” And Singh told CSO Online on Wednesday that, like others, “we have been observing extended sleep calls in other malwares also for quite some time.”

They reported that after the malicious code gets executed, it sends an HTTP request to the domain “wowrizep.ru” requesting the file “newbos2.exe.”

It is then programmed to take a 600,000 millisecond, or 10-minute, timeout. “Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior,” Singh and Islam wrote.

[Bill Brenner in the Salted Hash blog: 40 years after the first computer virus]

Depite being a classic technique, the automated analysis systems industry has not developed ways to sniff it out.

Bogdan “Bob” Botezatu, a senior e-threat analyst at Bitdefender, says it is a matter of efficiency. Antivirus emulators and automated analysis systems are designed not to waste CPU cycles and resources, he said. “They are designed to handle tens of thousands of possibly malicious samples, and can’t afford to wait on a file that apparently does nothing.”

So it is not something that will change overnight. “There is no reasonable way to circumvent this unless the automated system is willing to trade efficiency,” Botezatu said.

But Singh said he thinks automated systems “should have evolved to ensure that malware should not be able to use extended sleep calls to bypass capturing of its behavior.”

Antonakakis said antivirus product makers should be up to speed. “[They] should be paying attention to the network behavior and the ecosystem around Internet threats,” he said. “Binaries employ several different obfuscation techniques, so tracking them in the context of botnets is extremely hard.”

However, he said that, based on previous analysis of this malware from the community and according to his company’s own datasets, they believe that this this threat is related to the Kelihos botnet. “We believe that the downloader being used is just one component in this campaign,” Antonakakis said.

Singh said automated systems are still the fastest way to determine the nature of a file. “But besides capturing the behavior, automated analysis systems should have techniques such that they cannot be evaded,” he said.

Antonakakis said: “Let’s put it another way: If you rely on seeing the malware, you have already lost the war.”