New Malware Can't Be Caught Napping

Type threatpost
Reporter Chris Brook
Modified 2013-04-17T16:30:47


The aptly named Trojan Nap, a stealthy type of malware recently discovered by researchers at FireEye is able to evade detection methods by tricking scanners into thinking it’s asleep.

This is according to researchers Abhishek Singh and Ali Islam with the California-based security firm who wrote of the malware Tuesday on the company’s Intelligence Lab blog.

After execution, the code requests the executable “newbos2.exe” from “,” before triggering Windows’ SleepEx function. That function, which suspends current threads until a specified condition is met – is set 10 minutes by Trojan Nap’s code. With the system more or less in a “timeout,” detection programs are prevented from automatically identifying the malware as malicious.

The Trojan appears to also be using a fast flux network to better obscure the attacker’s identity. Fast Flux networks normally exploit the way DNS works by making it appear that the host is constantly changing. The IPs drop on and off and change so frequently, law enforcement can’t find the original. Unlike normal fast flux networks however, FireEye claims in this case a single IP address is returned that acts like multiple zombie-like IPs from all over the world.

From there, it’s a vicious cycle.

“Each time when the domain is contacted by malware, it will be a new DNS lookup and the attacker can keep on providing new IPs,” reads the blog entry.

For more on this, including a series of research graphics that describe in depth how the malware evades detection, head to FireEye’s blog.