How "safe" sandboxes are?

Morvotron

Level 7
Thread author
Verified
Mar 24, 2015
307
I've read lots and lots of things about sandbox, and as much as i've understood and tested, this software isolates the file you're trying to run so you "test" it before actually using it, on a safe enviroment, so if anything goes wrong nothing happens to your system.

My question is: how safe is this kind of software? If we talk about a well coded sandbox, is it 100% safe to use? Are we 100% sure malware has no real way to actually "escape" sandbox and infiltrate into the system? Or maybe Sandbox failing to isolate the file?

Have a good night
 

McLovin

Level 76
Verified
Honorary Member
Malware Hunter
Apr 17, 2011
9,224
Hello there,
Only talking from experience I have not had a problem with Sanboxes. Best way also to test a program out before you install it to your main computer/host. So you know if it is going to do anything bad to your host. If I'm right I think @Umbra uses Sandboxes in his lockdown config (could be wrong). I have also not anything escape from a Sandbox.
 
Last edited by a moderator:

DaveM

Level 2
Verified
Feb 12, 2016
62
It's as safe as the developer makes it. Like any software, one wrong line of code can ruin it all. It's also important to understand that sandbox environments have become a target of interest to hackers, and we may be seeing more and more exploits as time goes on and people abandon more traditional security applications.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Sandboxes are strong enough as its been at the almost perfect stage where isolation of hardware and software works well + malware samples to execute will not cause leakage to the host system.

As far possible, those vulnerabilities occur are full proof concept of possible outcome and its been taken action by developers to fixed it.

The only way viruses can do is to terminate itself when detected in an isolated environment.
 
L

LabZero

Here an interesting article:

5 Ways Advanced Malware
Evades the Sandbox

Advanced and evasive threats are intentionally designed to evade existing
security controls and their usage and impact only continue to grow.

Stalling

Technique: Malware performs useless CPU cycles disguised to look like
non-malicious activity.
In depth: Stalling code exploits two common analysis vulnerabilities:
• Analysis system can only spend limited amount of execution time, therefore time
out occurs while stalling code runs
• Authors design code to take longer to execute in analysis environment vs. actual environment, therefore what can take minutes in analysis will take seconds on the host
.

Interaction

Technique: Malware determines whether it is on a real-live PC by lying dormant
until predetermined human interaction is initiated.
In depth: Some common human interactions the malware looks for:
• Human scrolling: User must scroll to a predetermined place in a file, this
circumvents random or preprogrammed mouse movements to activate.
• Click count: Waits until a predetermined amount of clicks are taken, this
circumvents analysis engines that may initiate a single click to try to activate.
• Mouse speed: Looks for suspiciously fast movement, this circumvents an analysis engine that will scroll at speeds faster than is humanly comprehensible.

Environment Check

Technique: Malware checks the environment for a virtual machine or well-known
registry keys/files that would signify a sandbox.
In depth: Malware analyzes whether certain OS versions, apps, keys, files,
directories, etc. are present and waits to run malicious code. Some malware
even go to the extent of waiting until an internet connection is present. If
malware’s predetermined conditions aren’t present, it may terminate.
In a virtual environment, malware will conduct similar checks and modify its
behavior accordingly, making analysis more difficult.

Host Fingerprinting

Technique: Malware computes a unique host fingerprint upon arrival in environment.
When malware starts execution, a new host fingerprint is computed and compared against original to determine if in a different environment.
In depth: When analysis engines try to analyze in an environment that is even
remotely different than where initial contact was made, the malware can detect the change and take a different set of actions to avoid revealing malicious intent.

Sleep

Technique: Using sleep calls, malware refrains from suspicious behavior
during monitoring.
In depth: Even beyond adding extended sleeps calls to the code, sometimes
triggers are added to delay malware execution to a later time and date. During
the monitoring process the sandbox detects nothing malicious and moves on.

Source: Secureworks and Lastline, Inc

PDF

PS: of course we are talking about advanced malware (APT for example) coded specifically (also) for this purpose and the implementation of these features requires very high-level programming knowledge and some of them are proof of concept.
In real scenario Dyre banking trojan, for example, verifies how many processor cores are active and, if it has only one, the trojan will stop. Because the Virtual machines are often configured with a single core processor, this is a very effective evasion technique.
The trojan, based on Upatre downloader, would act by the injection of infected dll and changing the OS registry keys.
Often, the new variants of these advanced malware are FUD and they are not detected by signatures-based AVs due to continuous changes in the code.
 

Morvotron

Level 7
Thread author
Verified
Mar 24, 2015
307
Awsome answers from everybody! Thanks for your opinions. Now i get it. Sandbox as any security software is safe, but the weak point it's always the human. One single mistake and it's all dead. Maybe even not a mistake, just better techniques from the malware coder. Thanks a lot!
 
  • Like
Reactions: frogboy

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top