Malware hides behind the mouse

As it continues to play cat-and-mouse with a computer's security software, malware has taken to hiding behind the computer's mouse, a security vendor said. H-Online.com quoted Symantec as saying it has found a Trojan which attaches its malicious code to the routines for handling mouse events. "Since nobody moves the mouse in an automated threat analysis system, the code will remain inactive, and the malware undetected," H-Online.com quoted Symantec as saying. "Antivirus companies will probably need to introduce virtual mouse nudgers now," it added. It said this method could thwart automated threat detection systems that monitor the behavior of malware. Since automated threat monitoring software will check only suspicious cases, "the simplest method of avoiding this form of detection is to allow time to pass, because such analyses are typically aborted after a certain period of time." It also quoted Symantec as saying that if a suspicious program unpacks its code after five minutes, then waits another 20 minutes before it inserts itself into the registry, and starts network activities another 20 minutes later, "it stands a good chance of remaining undetected." Another variant uses the SetWindowsHookExA Windows API function to inject itself into the message handling functions that process mouse events, it said. "On a normal Windows system, a user will sooner or later click on something and activate the malware unwittingly; but on a threat analysis system, the trojan stands a good chance of remaining undetected," it said. A separate article on Geek.com said all a security vendor needs to do is add simulated mouse movement to its testing system to "fool the mouse check." — BM, GMA News