Security Sandboxes Challenged by Evolving Malware

[Kumaran]

Content source

https://blogs.mcafee.com/mcafee-labs/security-sandboxes-challenged-evolving-malware/

Malware is working hard to undermine and punish those who employ security sandboxes. Meanwhile, security innovators are working hard to stay one step ahead.

Security sandboxes are a crucial tool in the battle against the constantly evolving efforts of malware writers. Suspicious files can be placed in a digital sandbox, in which security can watch, look, and listen to determine what the code does, whom it communicates with, and if it plays nice as expected. This helps determine if a file is benign or malicious. The sandbox itself is a façade, designed to look and feel like a vulnerable system, yet in reality it is an isolated laboratory that is reinforced to allow malicious files to execute but not cause any real damage. It is all under the control and watchful eye of the security tool set. After analysis is complete, the entire digital sandbox is deleted, with any potentially harmful activities and changes disappearing with it.

Read More...

 

[LabZero]

Usually the sandbox virtualization-based does Windows API calls and system calls in user mode. System calls function capture the interactions between a malware and the operating system (for example, when files are read, written registry keys, and the production of network traffic). But the sandbox, in this case, cannot protect everything that happens between system calls.
Some malware act exactly in this point.

 

[cruelsister]

One really needs to filter "sandboxing" articles from Cisco and Mcafee. They are really good at putting out frequent press releases about supposedly horrible malware (like Romerik- which I did a video on in early May) and leaving the impression that all Corporate security solution are nothing but simple sandboxes and are thus susceptible to being tricked.

A much more proper term for current Corporate solution would be Dynamic Analysis and Virtual Execution devices, and there is a great deal of variation among them. Without going in too deeply, consider a common technique that is seen in Scriptor based malware to evade detection: malware (a Scriptor, of course) can be constructed that will only activate the payload after a certain number of mouseclicks (left or right, depending on the malware) are performed (a hundred, a thousand); this is done by the scriptor invoking the Get AsyncKeyState function in a loop. Cisco's appliance (based on ValidEdge) and Mcafee's (based on SourceFire) won't detect this malicious call and will assume the file being run is benign, letting it loose. Other solutions are aware of such Scriptor techniques and will immediately shut the badboy down.

In short, before malware can determine that it is being run virtually it has to "look around" to note its enviornment. There are some solutions that will murder it as soon as it opens it eyes, and some that can't.

 

[jamescv7]

Usually Malware's ability to detect if its under of virtualization is to terminate itself which its should not be the problem, a rare case if happen that it will force to break from sandbox as the logic where treats those components same like in the real system.

 

[Tony Cole]

NSA deputy director Richard Ledgett said cyber threat to companies, is now 2nd to terrorism his main concern. Destructive attacks, using wiper style virus, the attack against Saudi Aramco which took down over 35,000 of their computers. Major corporation’s must (now) have so much to deal with, and especially those providing the protection, if they fail, then both the corporation and those providing the protection could, and do lose millions. So, I’d imagine anyone of the technologies used face major challenges, that’s why a layered approach is provided.