Here an interesting article:
5 Ways Advanced Malware
Evades the Sandbox
Advanced and evasive threats are intentionally designed to evade existing
security controls and their usage and impact only continue to grow.
Stalling
Technique: Malware performs useless CPU cycles disguised to look like
non-malicious activity.
In depth: Stalling code exploits two common analysis vulnerabilities:
• Analysis system can only spend limited amount of execution time, therefore time
out occurs while stalling code runs
• Authors design code to take longer to execute in analysis environment vs. actual environment, therefore what can take minutes in analysis will take seconds on the host
.
Interaction
Technique: Malware determines whether it is on a real-live PC by lying dormant
until predetermined human interaction is initiated.
In depth: Some common human interactions the malware looks for:
• Human scrolling: User must scroll to a predetermined place in a file, this
circumvents random or preprogrammed mouse movements to activate.
• Click count: Waits until a predetermined amount of clicks are taken, this
circumvents analysis engines that may initiate a single click to try to activate.
• Mouse speed: Looks for suspiciously fast movement, this circumvents an analysis engine that will scroll at speeds faster than is humanly comprehensible.
Environment Check
Technique: Malware checks the environment for a virtual machine or well-known
registry keys/files that would signify a sandbox.
In depth: Malware analyzes whether certain OS versions, apps, keys, files,
directories, etc. are present and waits to run malicious code. Some malware
even go to the extent of waiting until an internet connection is present. If
malware’s predetermined conditions aren’t present, it may terminate.
In a virtual environment, malware will conduct similar checks and modify its
behavior accordingly, making analysis more difficult.
Host Fingerprinting
Technique: Malware computes a unique host fingerprint upon arrival in environment.
When malware starts execution, a new host fingerprint is computed and compared against original to determine if in a different environment.
In depth: When analysis engines try to analyze in an environment that is even
remotely different than where initial contact was made, the malware can detect the change and take a different set of actions to avoid revealing malicious intent.
Sleep
Technique: Using sleep calls, malware refrains from suspicious behavior
during monitoring.
In depth: Even beyond adding extended sleeps calls to the code, sometimes
triggers are added to delay malware execution to a later time and date. During
the monitoring process the sandbox detects nothing malicious and moves on.
Source: Secureworks and Lastline, Inc
PDF
PS: of course we are talking about advanced malware (APT for example) coded specifically (also) for this purpose and the implementation of these features requires very high-level programming knowledge and some of them are proof of concept.
In real scenario Dyre banking trojan, for example, verifies how many processor cores are active and, if it has only one, the trojan will stop. Because the Virtual machines are often configured with a single core processor, this is a very effective evasion technique.
The trojan, based on Upatre downloader, would act by the injection of infected dll and changing the OS registry keys.
Often, the new variants of these advanced malware are FUD and they are not detected by signatures-based AVs due to continuous changes in the code.