Malware samples use increasingly refined trickery to avoid being detected by automated threat analysis systems. Anti-virus company Symantec reports that it has found a trojan which attaches its malicious code to the routines for handling mouse events. Since nobody moves the mouse in an automated threat analysis system, the code will remain inactive, and the malware undetected.

In view of the exploding numbers of new malware variants – Symantec mentions about 1 million a day – fully automated threat detection systems must do most of the initial work for creating virus signatures. This includes systems on which a potential malware sample is executed and its behavior monitored. Evaluating the results is also a largely automated process; only particularly suspicious cases will be investigated further by an actual person.

The simplest method of avoiding this form of detection is to allow time to pass, because such analyses are typically aborted after a certain period of time. If, however, as observed by Symantec, a suspicious program only unpacks its malicious code after 5 minutes, then waits another 20 minutes before it inserts itself into the registry, and finally begins its network activities another 20 minutes later, it stands a good chance of remaining undetected.

An even cleverer malware variant uses the SetWindowsHookExA Windows API function to inject itself into the message handling functions that process mouse events. On a normal Windows system, a user will sooner or later click on something and activate the malware unwittingly; but on a threat analysis system, the trojan stands a good chance of remaining undetected. AV companies will probably need to introduce virtual mouse nudgers now.