FireEye discovered a new kind of malware today that thwarts antivirus software by, well, taking a nap. Nap, as it’s called, was found attacking financial institutions and hides hackers’ identities in the same way the New York Times‘ hackers stayed anonymous.
Currently, researchers are not sure how it enters your system, but they consider it a “malicious downloader” that sneaks in under the radar by putting itself to sleep. That is, many antivirus companies use what is called automated analysis systems. These systems watch a sample of whatever happens to be coming into your computer at that point in time and sees if it needs to quarantine anything. This screening process generally lasts seconds, according to FireEye senior malware researcher Abhishek Singh.
“Nap stops its execution for 10 minutes. So automated analysis system will time out and will not be able to capture its malicious behavior,” Singh told VentureBeat in an email.
Once in your system, Nap downloads a file called newbos2.exe that is considered an “information stealer.” FireEye found Nap
The malware writers protect themselves in a similar way to that of the attackers behind the New York Times hack. Both use a the Fast Flux method, which hackers use to hide their location by using a number of IP addresses from all over the globe. Singh explained that simply because the IP addresses are coming from locations far away from each other, it takes time to discover which, if any, is the right one.
Singh emphasized, however, that law enforcement has no evidence that the two attacks are connected.