D
Deleted member 178
Thread author
Interesting articles about sandbox evasions:
Sandbox Evasion Techniques - Part 1
Sandbox Evasion Techniques - Part 2
Sandbox Evasion Techniques – Part 3
Sandbox Evasion Techniques - Part 4 (Environment-Sensitive Malware)
This post is the first part in a series on sandbox evasion techniques used by malware today. After this primer, in subsequent posts we’ll drill down deeper into the details for each of the three main categories of evasion techniques.
The use of malware analysis sandboxes as the silver bullet against advanced, persistent threats became popular over a decade ago. Back then, malware authors had already found ways to evade tools based on static analysis (such as traditional antivirus software products) using techniques such as polymorphism, metamorphism, encryption, obfuscation and anti-reversing protection. As a result, malware analysis sandboxes are now considered the last line of defense against advanced threats.
The operating principle of a sandbox is simple – determine if a file is malicious or not based on its observed behavior in a controlled environment. The sandbox allows the malware to perform all of its malicious operations and records the resulting behavior. After some time, the analysis is stopped and the result is examined and scanned for typical malicious behavior patterns. Since detection is not based on signatures, sandboxes can even detect zero-day and targeted malware (which typically have never been seen before by security researchers or analyzed in an antivirus lab).
Obviously, behavior-based malware detection only works if the observed file actually performs malicious operations during its analysis. If – for whatever reason – no harmful operations are executed during the analysis, the sandbox concludes that the file under examination is benign. Malware authors are always looking for new, innovative ways to evade sandbox detection by concealing the real behavior of malware. We’ve grouped these approaches into three categories:
- Sandbox Detection: Detecting the presence of a sandbox (and only showing benign behavior patterns on detection)
- Exploiting Sandbox Gaps: Exploiting weaknesses or gaps in sandbox technology or in the ecosystem
- Context-Aware Malware: Using time/event/environment-based triggers (that are not activated during sandbox analysis)
Sandbox Evasion Techniques - Part 1
Sandbox Evasion Techniques - Part 2
Sandbox Evasion Techniques – Part 3
Sandbox Evasion Techniques - Part 4 (Environment-Sensitive Malware)