Last Friday, SANS reported that cybercriminals had managed to compromise Bible.org, a site that offered various Bible-related resources. An exploit injected into the website was designed to push malware via an Adobe Reader vulnerability onto the systems of visitors.
In the meantime, Bible.org has been cleaned up, but security researchers from Websense have found that the cybercriminals who compromised the site used a clever technique to ensure that their malicious code remained undetected.
Honeyclients are often used to automatically scan websites for threats. The testing takes longer than with signature-based solutions, but the results are more accurate.
Since Honeyclients usually run in virtual machine sandboxes, cybercriminals have to come up with a way to ensure that their malware works only if the presence of a virtual environment is not detected.
This particular evasion technique relies on mouse movements to detect the presence of a virtual machine. Because more primitive Honeyclients don’t require a mouse, it’s a good way to learn if your malware is being analyzed by security researchers.
For a technical analysis of the attack, check out Websense’s Security Labs blog.