Sandbox Evasion Techniques

  • Thread starter Deleted member 178
  • Start date

Do you use a sandbox application?


  • Total voters
    19
D

Deleted member 178

Thread author
Interesting articles about sandbox evasions:

This post is the first part in a series on sandbox evasion techniques used by malware today. After this primer, in subsequent posts we’ll drill down deeper into the details for each of the three main categories of evasion techniques.

The use of malware analysis sandboxes as the silver bullet against advanced, persistent threats became popular over a decade ago. Back then, malware authors had already found ways to evade tools based on static analysis (such as traditional antivirus software products) using techniques such as polymorphism, metamorphism, encryption, obfuscation and anti-reversing protection. As a result, malware analysis sandboxes are now considered the last line of defense against advanced threats.

The operating principle of a sandbox is simple – determine if a file is malicious or not based on its observed behavior in a controlled environment. The sandbox allows the malware to perform all of its malicious operations and records the resulting behavior. After some time, the analysis is stopped and the result is examined and scanned for typical malicious behavior patterns. Since detection is not based on signatures, sandboxes can even detect zero-day and targeted malware (which typically have never been seen before by security researchers or analyzed in an antivirus lab).

Obviously, behavior-based malware detection only works if the observed file actually performs malicious operations during its analysis. If – for whatever reason – no harmful operations are executed during the analysis, the sandbox concludes that the file under examination is benign. Malware authors are always looking for new, innovative ways to evade sandbox detection by concealing the real behavior of malware. We’ve grouped these approaches into three categories:

  1. Sandbox Detection: Detecting the presence of a sandbox (and only showing benign behavior patterns on detection)
  2. Exploiting Sandbox Gaps: Exploiting weaknesses or gaps in sandbox technology or in the ecosystem
  3. Context-Aware Malware: Using time/event/environment-based triggers (that are not activated during sandbox analysis)

Sandbox Evasion Techniques - Part 1
Sandbox Evasion Techniques - Part 2
Sandbox Evasion Techniques – Part 3
Sandbox Evasion Techniques - Part 4 (Environment-Sensitive Malware)
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Generic sandboxes running identical standard target environments are no longer sufficient. Further, the analysis environment needs to be able to detect environment queries and identify hidden code branches

Sandbox Evasion Techniques - Part 4 (Environment-Sensitive Malware)

So, is the author trying to tell us that SBIE, Shade, SD, Comodo's SB, Avast SB etc are not so useful? If yes, then which SB should we be using?
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Well, those softwares will still protect our systems from getting infected. The article is not about malware escaping the sandbox, rather it is about malware pretending that it is innocent when it is tested in a sandbox.
Actually I'm not referring to just Part 4 but the entire 4 parts of the article. It's just that I'm quoting his conclusion in the last part.

From what I have read it seems that consumer grade sandbox will be useless against those mentioned methods adopted by malware writers.
 
  • Like
Reactions: Rengar and shmu26
D

Deleted member 178

Thread author
5

509322

Thread author
Just because a security soft cannot prevent nor protect against every malicious action known-and-unknown, doesn't mean you should dump it.

Every single virtualization soft can be bypassed. So what ? This is nothing new. So can every security soft in one way or another. Probabilities are usually on your side - that you will never come across a dangerous bypass in your entire computing life.

If the requirement is that --- my security softs must protect my system against everything and be effective 100 % forever --- then you have a great option:

A. Logoff your PC right now
B. Gather every single digital device in your home and throw all of them into the trash bin
C. Never use another digital device for the remainder of your life

ALL_SYSTEMS_PROTECTED :D

* * * * *

A user is much more likely to dump a security soft because it causes them some kind of pain-in-the-ass problem(s) instead of failing to protect the system.
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top