Symantec's Hiroshi Shinotsuka reports that malware authors have begun tying malware activity to a computer's mouse movement, "so that when the malware receives messages from the mouse, that is, if it is moved or buttons clicked, it runs."
"The tactic is designed to smuggle malicious code past automated threat analysis systems," writes The Register's John Leyden. "During such procedures there's no user input and certainly no mouse moving and clicking. The malicious code is designed to remain inactive unless the mouse itself is in use, giving a fair chance that the RAT (remote access Trojan) will remain undetected."
"Another clever technique relies on the 'sleep' function," writes Softpedia's Eduard Kovacs. "Basically, the malicious subroutines are executed at specific intervals. For instance, there’s a 5 minute 'sleep' time before the DecryptCode subroutine ... is run. Then, it’s 'sleep' again for another 20 minutes before the ModifyRegistry subroutine is executed. By taking breaks between the execution of each subroutine, the chances for the threat analysis system to scan the file precisely at the time when it’s running a piece of malicious code decrease considerably."
"The checks are clever because they are so simple," writes Geek.com's Matthew Humphries. "That simplicity also makes them relatively easy to fool. All Symantec needs do is add some simulated mouse movement to their testing system to fool the mouse check. As for the malware that waits before [executing], it may just be a case of tweaking the system time in order to jolt any sleeping malware into action so it can be detected."