It’s a truism that even the bleakest circumstances look a bit brighter after a good nap. Well, that wisdom isn’t lost on malware authors either. A newly discovered Trojan Horse program, dubbed Trojan Nap, is programmed to use extended sleep cycles to fool behavior based anti-malware tools, according to a report from the firm FireEye.
In a blog post Tuesday, researchers Abhishek Singh and Ali Islam said the new malware has a function, dubbed SleepEx() that can be used to configure long “naps” that the malware takes after it is installed on a compromised system. The default value, 600,000 milliseconds – or 10 minutes – seems designed to fool automated analysis systems that are programmed to capture a sample of behavior for a set time frame. “By executing a sleep call with a long timeout, Nap can prevent an automated analysis system from capturing its malicious behavior,” FireEye said.
Like other malware, Nap relies on a fast flux command and control network to receive updates and commands. Those networks rely on domains that shift rapidly between different IP addresses, making it difficult for victims to block the source of the attack, or identify a clear pattern of malicious activity. In the case of Nap, FireEye researchers identified systems in Latvia, Ukraine, Taiwan, as well as Kazakhstan and Pittsburgh, Pennsylvania that were hosting Nap command and control domains.
Using long sleep cycles is described as a “classic” technique for staying under the radar for automated analysis and antivirus software. Many so-called “advanced persistent threats” (APTs) are also known to lay dormant for days, weeks or even months before springing to action. The hibernation can complicate the job of identifying the moment of compromise and initial infection.