Leaderboard

Sandboxing is a part of automated technology for malware detection that’s widely used by several antivirus programs and other security applications. We place a potentially dangerous program into a controlled virtual environment where it cannot cause any harm, security software can then analyse the behaviour of the malware and develop security measures against it. Sandbox-evading malware is a new type of malware that can detect if it’s inside a sandbox or virtual environment. These malwares don’t execute their malicious code until they’re outside of the controlled environment. The first malware that surpassed the sandbox protection was detected in the year 1980. Real world examples of sandbox evading malware Locky ransomware which was released in 2016, is a good example of a sandbox-evading virus. It was spread through JavaScript code that was infected with encrypted DLL files. In mid of 2018, a new version of malware called the RogueRobin trojan was detected in the Middle East. This government organisation based malware was spread via email in an attached RAR archive. In 2019, hackers used the HAWKBALL backdoor to attack the government sector in Central Asia. This malware exploited vulnerabilities for Microsoft Office to deliver payloads and collect system information. In March 2019, a new sample of macOS malware using improved sandbox evading techniques was detected. As opposed to its ancestors, OSX_OCEANLOTUS.D had a Mach-O signature with a UPX string that allowed it to be not noticed during static analysis in a virtual environment. Protection from sandbox-evading malware: 1. Dynamically change sleep duration 2. Simulate human interactions 3. Add real environmental and hardware artifacts 4. Perform static in addition to dynamic analysis 5. Use fingerprint analysis 6. Use behavior-based analysis 7. Customize your sandboxing 8. Add kernel analysis 9. Implement machine learning 10. Consider content disarm and reconstruction (CDR) as an extra security layer

Sandbox is one of the testing environments. Each environments have particular purpose. It is critical, that the tester knows all the aspects of environments which could lead to better testing and QA strategy in the organization. Types of environments: DEV (Development) QA (Testing) SANDBOX (Isolated Virtual Environment) STAGING (Pre-production) PROD (Live) DR (Disaster Recovery) Sandbox-evading malware is a known type of malware (malicious software). This malware can identify if it is within virtual machine environment or not. Sandbox is a highly controlled environment that can be used to test unverified programs that may contain malicious codes with no loss to host device. However, these sandbox-evading malwares don’t perform their malicious code until they are out of the controlled environment. There are several recent instances in the industry, where AI algorithms are used to these malwares for evading virtual environments. Malware writers (aka cyber criminals) are users of sandbox environment themselves and to the fact, that there are more than 500 evasion techniques to avoid the detection and analysis. There are many, to list few common Evasion Techniques includes that of, Human-like behavior (Interaction detection – Like scrolling, mouse clicks) System interaction detection (Shut down by payload, self-debugging) File systems (Specific files, directories, strings) Hooks (mouse hooks) Generic OS Queries (Specific username, computer name, host name) Global OS objects (Specific global mutexes, virtual device, pipes and objects) Windows Management Interface (WMI) (Win32_Process Class, Task scheduler, Last boot time, last reset time) Timing-based evasion – delayed execution (stalling, dropper, logic bomb, extended sleep) Obfuscating internal data (encrypting API Calls, Domain Generation Algo (DGA)) Firmware tables (Specific strings – SMBIOS table) UI Artifacts (class names) Registry (registry paths, keys) OS features (debug privileges, unbalanced stack) Processes (Specific running processes, loaded libraries) Network (Specific MAC address, adapter name, anti-emulation) To address evasion/dodging, organization need to deploy strong systems (typically SaaS) that can bypass anti-sandbox strategies for evading detection and that can evaluate and continuously monitors the trend of threats which should potentially include that of vulnerabilities, exploits, active attacks, viruses and further malwares, such as spam, phishing, and malicious web content. Further factors that need to be leveraged while monitoring should include categories such as, Behaviors exhibited Data Reputation (whether hosted on a suspicious IP/URL) Digi Certificate (Correctly signed?) Total Virus (Known sample?) Industry reputation (popular application?) Alongside, deploying detection mechanisms, such as, below list can effectively control and counter evasion. Changing sleep duration dynamically Human interaction simulation Adding real environment and hardware artefacts Apart from dynamic analysis, perform static analysis as well Using fingerprint analysis Using behavior-based analysis Customizing the Sandbox Adding kernel analysis Implementing ML Considering content disarm and reconstruction (CDR) – Extra Sec layer These measures when combined and deployed can result in effective security solutioning for countering malware evasion.