Heard a lot about sandbox evasion (vm) so wonder what's the way out for this, though all sandbox vendors claimed to have anti-sandbox evasion technique
Haha well these anti-sandbox evasion techniques may patch up known methods but there will be a work-around to bypass the patch and use the same method (the same way that API hooks can be bypassed), or a new identifier will be found and abused for anti-sandbox uses.
agreed...the "only" problem is when you get a bios, a firmware rootkit...or even a MBR, VBR, VMM one...then a format, a Win reinstall won't help.....All very difficult to detect and to get rid of...Many people/testers don't know about this risk.
The good news is that they are not common and probably improbable to land on a "normal" tester's PC.
I agree, and I also agree that they are not common at all - in fact they are even less than not common, the chances of you running ino something like a firmware rootkit is probably less than 1% chance out of millions of samples IMO.
MBR attacks is not common but still used by some malware like Petya these days, however it used to be quite common due to bootkits; even on a dedicated testing machine you can fix this relatively easy if you have experience with a boot disc/roll-back that supports the MBR.
However, as for threats like firmware rootkits, you will do both static and dynamic analysis so you'll most likely identify this through studying the code... the problem is you might not understand what is going on if you're not experienced enough, like in ZeroDay film where they struggled a lot to reverse Stuxnet due to how clean and well-done it was.
Formatting and then reinstalling Windows is always the best idea in terms of normal infections, however if you feel you might have a firmware rootkit then you'll need to flash the BIOS - like I said though, the chances are so small... I've never met anyone who has had a firmware infection actually.
Oh another thing I'm curious is the possibility for a malware in a sandbox to escape out to the hypervisor to infect the vendor appliance or even worst enter the customer network.
Once again, I highly doubt you'll find a sample which can do this either... But for what it's worth I can tell you that it is definitely possible to bypass the hyper-visor leading to escape, the same way it is possible to bypass PatchGuard on Windows one way or another or exploit AV software...
An exploit is abusing a vulnerability and everything has vulnerabilities somewhere down the line, and whether they have been discovered yet or not is another story.
So it is possible, just extremely unlikely it'll ever happen, especially to you whilst doing malware analysis.
Is there such instance where the malware did a c&c callback to the hacker server, when it returns, it tries to escape out or "hop" over to the other port?
Unrelated to the question but it is however possible for malware to leak the users real IP address regardless of software-based VPN; turns out that some Windows processes do not follow the route table for the VPN software. But once again, extremely unlikely... I don't think I've ever seen a sample do this before, either.