Your mouse may actually be a RAT in disguise
Plague-bearing horrors mask themselves as rodent chum
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Security researchers have discovered a Trojan that attaches its malicious code to routines normally used only to control the inputs from mouse clicks.
The tactic is designed to smuggle malicious code past automated threat analysis systems. During such procedures there's no user input and certainly no mouse moving and clicking. The malicious code is designed to remain inactive unless the mouse itself is in use, giving a fair chance that the RAT (remote access Trojan) will remain undetected.
The growing volume of malware means automated threat analysis systems are increasingly important. Only the more unusual analysis work gets passed on to human analysts. Even if the mouse-attached RAT gets caught out at this stage it still gains extra longevity. The development means that anti-virus firms will probably need to include a virtual mouse clicker and nudger in their automated analysis routines.
The sneaky mouse-hogging malware was detected by security researchers at Symantec. The security giant has also come across strains of malware that use "sleep mode" to evade dynamic analysis systems.
A detailed write-up of both (unnamed) threats can be found in a blog post here. ®
COMMENTS
You are correct of course and installing it will almost certainly require admin privilege.
The problem is that we have largely moved away from the "running as admin" and "unauthorised privilege escalation" problems only to find a bit of a showstopper, the; "yes, of course I'll allow that Faceberk widget to install" and "of course I want a FREE!!11!!! antivirus scanner" ones.
Unfortunately, fixing those involves either killing users or going to an "install from the heavily policed app store only" model and fucking over the not-as-dumb-as-a-bag-of-hammers types as a side-effect.
The weakest link in any security system is the human aspect and some people are just irredeemably thick. I've yet to see an answer to this one that I like the look of.
The reason *nix based OSes don't have a problem...
...is because they are mainly set up and maintained by someone who knows what they are doing. The same as if the person setting up and maintaining a windows box knows what they are doing. Its secure and no crap gets installed on it.
Look at the average user. The one who will click yes on any popup box if their free download of pink pony screensaver asks for permissions.
That kind of person probably doesn't know (or care) how to install Linux on anything. They use whatever the box they bought came with
If Linux was the default operating system installed on all PCs, they would have the same idiots doing the same thing and giving the same permission to malware posing as freebies.
Re: The reason *nix based OSes don't have a problem...
I actually disagree. There is more scope for this type of event handler to affect UNIX and Linux systems, at least as long as they run a GUI that uses X11.
Part of X11 allows a suitably written program with the correct permissions (and this is NOT superuser in this case, but the user's own credential set) to re-parent a window, or indeed to insert itself anywhere in the window hierarchy. As a result, all graphic and input events destined for a window go through said program before actually being sent to the application running the window.
This allows such things as all key-press events to be captured by said program, and mouse events to be used to trigger specific actions. This is by design, and is how an X11 Window Manager works, by inserting itself between the root window and all applications. This is also how programs like xscope work.
The credentials required are such things as Magic Cookies, which for systems where the client and server programs run on the same system are often stored in protected files in the user's home directory (there are other more sophisticated methods of protection [using such things as Kerberos and SSH tunnels with SSH agent], but cryptographically signed cookies are still the most common).
This means that if a user can be persuaded to run such a program on the machine with these credentials available, they are at risk of leaking significant amounts of information. There is no requirement to become a privileged user. This is why it is important on UNIX and Linux to keep a firm control of the programs that users are allowed to run. But this often comes down to being a social engineering attack, like so many other ways of bypassing security. If you can make a user run an arbitrary program, then all bets are off regarding the security of that user, regardless of which OS they are using.
Please note that unless the cookies are leaked, this mechanism will not allow one user on a multi-user system to access another user's session on the same machine. Not that this happens very much in these days of single user Linux systems.
I don't think that many people using UNIX or Linux nowadays actually understand the way that X11 authentication works any more, and that is why the icon.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
