- Sep 22, 2014
- 1,767
In the real world, special virtualized environments, called sandboxes, are used to analyse malware behaviour and prevent it from spreading and damaging real users' personal data, important corporate assets, etc. In our research, we focus on how to fight against the detection of sandboxes by malware and demonstrate some of the different techniques used by malware authors to detect virtual environments that are disregarded by leading vendors. We also present some solutions to counter these detection techniques.
We also discuss Cuckoo Sandbox, a leading open-source automatic malware analysis system that is widely used in the world of security. Cuckoo Sandbox is easy to deploy and contains features which perform many key aspects of malware analysis, such as collecting information about the malware behaviour, capturing network traffic, processing reports, and more. Nearly all the largest players on the market, including VirusTotal and Malwr, utilize Cuckoo Sandbox as a platform to perform automatic behavioural analysis. Cuckoo Sandbox can also be used as a backend for anti-malware-related projects. We describe Cuckoo Sandbox bugs, which allow malware to detect a sandboxed environment, as well as possible solutions for these issues.
Malware authors can use evasion techniques against a virtual environment simply by running some specially crafted code. If a sandbox is detected, then the malware may choose, for example, one of the following behaviours:
We also discuss Cuckoo Sandbox, a leading open-source automatic malware analysis system that is widely used in the world of security. Cuckoo Sandbox is easy to deploy and contains features which perform many key aspects of malware analysis, such as collecting information about the malware behaviour, capturing network traffic, processing reports, and more. Nearly all the largest players on the market, including VirusTotal and Malwr, utilize Cuckoo Sandbox as a platform to perform automatic behavioural analysis. Cuckoo Sandbox can also be used as a backend for anti-malware-related projects. We describe Cuckoo Sandbox bugs, which allow malware to detect a sandboxed environment, as well as possible solutions for these issues.
Malware authors can use evasion techniques against a virtual environment simply by running some specially crafted code. If a sandbox is detected, then the malware may choose, for example, one of the following behaviours:
- Terminate the execution, so no information will be provided.
- Perform some non-malicious activity, so false information will be provided.
- Perform some activities by accessing, for example, fake domains or IPs, to generate artifacts which are not relevant.
