Recently we reported about that Symantec provide overview and analysis of the year in global threat activity via its Internet Security Threat Report (ISTR), with a exclusive details that 400 million new variants of malware were created in 2011, which is an average of 33 million new variants of malware a month, or an average of one million new variants a day.
In order to develop malware that evades detection by the security companies malware writers come up with some clever, yet quite simple techniques. If malware stops itself when it detects that it is running in a virtual environment, it may trick an automated threat analysis system into thinking that it is a clean program.
So malware may not only fool automated threat analysis systems, but also a corporate system administrator who is searching for computers compromised by malware. Malware authors have recently attempted to use other approaches to fool automated threat analysis systems as well.
Latest example of such Trojan is that , where malware attaches its malicious code to routines normally used only to control the inputs from mouse clicks. The malicious code is designed to remain inactive unless the mouse itself is in use, giving a fair chance that the RAT will remain undetected, in the never ending cat and mouse game these two parties play.
Technically, this malware variant uses the SetWindowsHookExA Windows API function to inject itself into the message handling functions that process mouse events. When the code runs, it waits 300,000 milliseconds, or five minutes, before executing the DecryptCode subroutine, as shown in the image above. It then waits 20 minutes and executes the ModifyRegistry subroutine
After executing the Network_main subroutine, it waits another 20 minutes. Automated threat analysis systems only spend a small amount of time on one file so they may not detect the code as malware. Researchers also come across strains of malware that use "sleep mode" to evade dynamic analysis systems.