Q 484. While sandbox is a commonly used testing approach in technology domain, sandbox evading malware makes this approach vulnerable. What are some of the ways in which sandbox evades malwares function and how can this be addressed?

 

Note for website visitors - Two questions are asked every week on this platform. One on Tuesday and the other on Friday.

• All questions so far can be seen here - https://www.benchmarksixsigma.com/forum/lean-six-sigma-business-excellence-questions/
• Please visit the forum home page at https://www.benchmarksixsigma.com/forum/ to respond to the latest question open till the next Tuesday/ Friday evening 5 PM as per Indian Standard Time. Questions launched on Tuesdays are open till Friday and questions launched on Friday are open till Tuesday. 
• When you respond to this question, your answer will not be visible till it is reviewed. Only non-plagiarised (plagiarism below 5-10%) responses will be approved. If you have doubts about plagiarism, please check your answer with a plagiarism checker tool like https://smallseotools.com/plagiarism-checker/ before submitting. 
• The best answer is always shown at the top among responses and the author finds honorable mention in our Business Excellence dictionary at https://www.benchmarksixsigma.com/forum/business-excellence-dictionary-glossary/ along with the related term

Sandbox is one of the testing environments.

Each environments have particular purpose. It is critical, that the tester knows all the aspects of environments which could lead to better testing and QA strategy in the organization.

 

Types of environments:

DEV (Development)

QA (Testing)

SANDBOX (Isolated Virtual Environment)

STAGING (Pre-production)

PROD (Live)

DR (Disaster Recovery)

 

Sandbox-evading malware is a known type of malware (malicious software).

This malware can identify if it is within virtual machine environment or not.

 

Sandbox is a highly controlled environment that can be used to test unverified programs that may contain malicious codes with no loss to host device. However, these sandbox-evading malwares don’t perform their malicious code until they are out of the controlled environment.

 

There are several recent instances in the industry, where AI algorithms are used to these malwares for evading virtual environments.

 

Malware writers (aka cyber criminals) are users of sandbox environment themselves and to the fact, that there are more than 500 evasion techniques to avoid the detection and analysis.

 

There are many, to list few common Evasion Techniques includes that of,

• Human-like behavior (Interaction detection – Like scrolling, mouse clicks)
• System interaction detection (Shut down by payload, self-debugging)
• File systems (Specific files, directories, strings)
• Hooks (mouse hooks)
• Generic OS Queries (Specific username, computer name, host name)
• Global OS objects (Specific global mutexes, virtual device, pipes and objects)
• Windows Management Interface (WMI) (Win32_Process Class, Task scheduler, Last boot time, last reset time)
• Timing-based evasion – delayed execution (stalling, dropper, logic bomb, extended sleep)
• Obfuscating internal data (encrypting API Calls, Domain Generation Algo (DGA))
• Firmware tables (Specific strings – SMBIOS table)
• UI Artifacts (class names)
• Registry (registry paths, keys)
• OS features (debug privileges, unbalanced stack)
• Processes (Specific running processes, loaded libraries)
• Network (Specific MAC address, adapter name, anti-emulation)

        

To address evasion/dodging, organization need to deploy strong systems (typically SaaS) that can bypass anti-sandbox strategies for evading detection and that can evaluate and continuously monitors the trend of threats which should potentially include that of vulnerabilities, exploits, active attacks, viruses and further malwares, such as spam, phishing, and malicious web content.

 

Further factors that need to be leveraged while monitoring should include categories such as,

Behaviors exhibited

Data Reputation (whether hosted on a suspicious IP/URL)

Digi Certificate (Correctly signed?)

Total Virus (Known sample?)

Industry reputation (popular application?)

 

Alongside, deploying detection mechanisms, such as, below list can effectively control and counter evasion. 

• Changing sleep duration dynamically
• Human interaction simulation
• Adding real environment and hardware artefacts
• Apart from dynamic analysis, perform static analysis as well
• Using fingerprint analysis
• Using behavior-based analysis
• Customizing the Sandbox
• Adding kernel analysis
• Implementing ML
• Considering content disarm and reconstruction (CDR) – Extra Sec layer

 

These measures when combined and deployed can result in effective security solutioning for countering malware evasion.

Sandbox is an integral part of the set up when it comes to testing any new software or code as it provides a secure virtual environment without the need for interrupting the main stream process. it is basically an isolated testing environment that empowers the users to test their code without affecting the application or platform on which they are being run.

 

One more area of application where Sandbox is widely being used is for Malware Detection & Prevention however nowadays there are ways devised by hackers which program their malware in such a way that it remains inactive in the sandbox which thus enables the malware to bypass protections & thus execute malicious code without the chance of being detected.

 

Below are the different ways in which the evasion malware functions:- 

 

By Detecting User Interactions

 

Here the malware is made to wait for user to perform a specific action eg: Scrolling a document (malware gets executed after scrolling to a particular page or place in the document) or Moving / Clicking the mouse (malware gets activated only after a certain clicks of the mouse) & then only afterwards it will exhibit its malicious behaviour.

 

By Detecting System Characteristics 

 

This aspect involves malware being programmed to find some real features of a system that are not available in the sandbox environment. These real features which a malware detects include CPU Core Count, Digital System Signature, Availability of Antivirus programs & Operating System Reboot scheduling.

 

Through Environmental Awareness

 

In order to detect the environment in which a malware is present, it looks for indicators specific to virtual environment such as hypervisor calls or specific file names & processes typically belonging to a sandbox.

 

Through Delayed Execution

 

Here the malware only gets executed after a short period of time in order to successfully evade the sandbox. this is done in three common ways i.e Extended Sleep, Malware programmed to be executed on a specific date & time which is commonly termed as Logic Bomb, malware executing unnecessary CPU cycles in order to delay the actual code till the sandbox finishes testing also known as Code Stalling.

 

Through Data Obfuscation

 

This technique allows malware to change DNS & IP addresses known as Fast Flux or by encrypting API calls known as Data Encryption so that the sandbox is not able to read them.

 

Now In order to protect the sandbox from evading malware, below are the common measures that can be adopted:-

 

• By dynamically changing the sleep duration which significantly increase the chances of malware detection.
• By adding user-like interactions within the sandbox environment in order to better detect the malware.
• By retrieving system information such as hard disk size, cpu core count, OS version etc within the sandbox environment so as to have better chances of detecting the malware.
• By incorporating Static Analysis along with the existing dynamic analysis within the sandbox environment so as to improve the malware detection capability of the sandbox by detecting the evasion techniques in a more methodical manner
• By adding Kernel Analysis in order to prevent the malware from entering the kernel space i.e. root-kits or drivers in order to prevent the malware from escaping the sandbox.
• By designing malware analysis based machine learning algorithms in order to detect sandbox evasion malware

 

Thus by adopting the above measures one can make the Sandbox environment safe & more robust to detect any evasion malware present.  

 Sandbox method is has proven to be an effective way to detect Malware in a safe virtual environment. However, sandbox evading malwares such as Locky, RogueRobin, Hawkball etc. have employed techniques which can detect if it's in the target environment or not. As per one study, published in apriorit.com, 98% of modern malwares deploy at least one evading technique, while there are more than 500 techniques now. 

 

 Some of these techniques are such as, malware requiring run32dll.exe file to run which is not available in sandbox environment hence malware goes undetected. Another is where RogueRobin trojan looked for details such as BIOS version, memory & CPU cores to start affecting which are again aren't available in sandbox. Another one keeps detecting if it's connected to a debugger while collating host machine details. 

Majorly these techniques could be categorised into: user interactions, system analysis, environmental awareness, delayed execution and data obfuscation. 

 

 To detect these techniques there are several techniques in use today, such as, 1. Prolonged Detection analysis, 2. Human interactions simulated, 3. Having real environmental artifacts like machine details, 4. Interact with malware like host machine till detected, 5. Having kernel analysis to detect malwares that impact rootkits and drivers at kernel space, 6. Using Machine learning to learn how malware behaves

 Sandboxing is a part of automated technology for malware detection that’s widely used by several antivirus programs and other security applications. We place a potentially dangerous program into a controlled virtual environment where it cannot cause any harm, security software can then analyse the behaviour of the malware and develop security measures against it.

 

 Sandbox-evading malware is a new type of malware that can detect if it’s inside a sandbox or virtual environment. These malwares don’t execute their malicious code until they’re outside of the controlled environment.

The first malware that surpassed the sandbox protection was detected in the year 1980.

 

Real world examples of sandbox evading malware

1. Locky ransomware which was released in 2016, is a good example of a sandbox-evading virus. It was spread through JavaScript code that was infected with encrypted DLL files. 
2. In mid of 2018, a new version of malware called the RogueRobin trojan was detected in the Middle East. This government organisation based  malware was spread via email in an attached RAR archive.
3. In 2019, hackers used the HAWKBALL backdoor to attack the government sector in Central Asia. This malware exploited vulnerabilities for Microsoft Office to deliver payloads and collect system information.
4. In March 2019, a new sample of macOS malware using improved sandbox evading techniques was detected. As opposed to its ancestors, OSX_OCEANLOTUS.D had a Mach-O signature with a UPX string that allowed it to be not noticed during static analysis in a virtual environment. 

 

Protection from sandbox-evading malware:

1. Dynamically change sleep duration

2. Simulate human interactions

3. Add real environmental and hardware artifacts

4. Perform static in addition to dynamic analysis

5. Use fingerprint analysis

6. Use behavior-based analysis

7. Customize your sandboxing

8. Add kernel analysis

9. Implement machine learning

10. Consider content disarm and reconstruction (CDR) as an extra security layer

All the published answers are correct and it was difficult for me to choose one winner. There are two winners to this question - Mohamed Asif (for providing some insights into how the evasion techniques) and Sohan Subhash Mirajkar (for providing some examples). 

 

The other 2 answers are also a must read!!