Malware Learns to Avoid Web-Based Anti-Virus

You may not have noticed, but Google actually scans websites for potential malware and alerts visitors if it has found any. If you’re unlucky enough to click a malware-ridden link from Google’s search engine (or inside Chrome), you should be greeted with a screen like this one.

It basically tells you that Google’s automated security bots have found some form of malware on this site. Unfortunately, new malware implementations can avoid these security measures.

According to Network World, security researchers have discovered a malware that avoids web-based security scanners if there is no mouse movement when the page is loaded.

Obviously, because Google – and others providers – use automated security solutions, there is no mouse movement, which means the malware doesn’t load and Google thinks the site is clean. Oh dear.

As with a lot of the most innovative new malware, the new species was discovered affecting Russian websites – probably a fore-runner before it is translated to the much more lucrative English-speaking market.

The malware works by injecting JavaScript code into the <head> of HTML pages. That’s a normal place to put Javascript, so it’s not suspicious right away. This script then looks for any cursor movement – if there isn’t any, the script realises its a security bot and doesn’t load the virus. If the mouse moves, however, the JavaScript imports an external JavaScript file – a file with malicious intent.

This is currently one of the most popular methods of for hackers to determine whether the site is being visited by a bot or a human, but they’re getting more sophisticated all the time. It’s now up to Google (and other website-checking services) to ensure they counter-act the effort.

As always, the best thing you can do is have adequate web protection and make sure your software is as up-to-date as possible – especially Flash, Java and Adobe Reader.