Sandboxes provide ideal, secluded environments to screen certain malware types without giving that malware a chance to spread. Based on the observed behavior, the samples can then be classified as harmless, malicious, or “needs a closer look.”
Running programs in such a secluded environment is referred to as sandboxing and the environment the samples are allowed to run in are called sandboxes.
“Sandboxing is a software management strategy that isolates applications from critical system resources and other programs. Sandboxing helps reduce the impact any individual program or app will have on your system.”
We want the malware to show us what it does, but we don’t want it to disturb our monitoring or infect other important systems.
In practice, a cybersecurity sandbox is a physical or virtual environment used to open files or run programs without the chance of any sample interfering with our monitoring or permanently affecting the device they are running on. Sandboxing is used to test code or applications that could be malicious before serving it up to critical devices.
In cybersecurity, sandboxing is practically used as a method to test software which would end up being categorized as “safe” or “unsafe” after the test. In many cases, the code will be allowed to run and a machine learning (ML) algorithm or another type of Artificial Intelligence (AI) will be used to classify the sample or move it further upstream for closer determination.
As sandboxes became more sophisticated and evolved to defeat the evasion techniques, we observed multiple strains of malware that dramatically changed their tactics to remain a step ahead. These malwares developed the capability to evade the sandboxing and yet managed to affect the virtual or real-environment.
I have devoted the following section of this post to inform you about what we can do to detect such malwares.
How to detect sandbox-evading malware?
The evasion techniques we’ve described can provide developers with a deeper understanding on how to detect sandbox-evading malware. Here are some principles you can implement in your security solution to protect from sandbox-evading malware.
-
Dynamically change sleep duration.
While a sandbox usually analyzes malware for seconds, a prolonged analysis significantly increases the chances for detecting malware with increased sleep duration. However, this approach may not be effective, as it requires more time. Instead, you can make the sandbox dynamically change its time settings to deceive malware and stimulate its execution.
-
Simulate human interactions.
The sandbox environment doesn’t simulate interactions by default, but you may add some user-like interactions to better analyze malware. However, keep in mind that modern malware may be clever enough to detect fake mouse clicks or movements.
-
Add real environmental and hardware artifacts.
Retrieving hardware information in your sandbox will help you detect malware that checks for hard disk size, recent files, CPU numbers, operating system version, memory volume, and other system and hardware characteristics.
-
Perform static in addition to dynamic analysis.
Sandboxing technology is a form of dynamic malware analysis, as it examines malware behavior in a safe environment. While sandbox-evading malware doesn’t perform any actions, you can subject it to full static code analysis. Static analysis will check the file for evasion techniques or encrypted pieces of code.
-
Use fingerprint analysis.
Fingerprinting technology allows you to analyze a malware file and find indicators of malicious code. Fingerprinting can also be used for detecting evasion characteristics of malware.
-
Use behavior-based analysis.
Behavior-based analysis offers features designed to detect and combat evasion techniques. During this analysis, the sandbox interacts with the malware itself to find possible execution paths. Moreover, it emulates process interactions to look like a host computer. Once a sandbox evasion technique is detected, the sandbox counteracts its malicious code.
-
Customize your sandboxing.
By adding other innovative features for malware detection to the sandbox, you can significantly improve its effectiveness at detecting malware. For instance, you can use a multi-sandbox array of diverse environments and iterative analysis. It’s also effective to check malware communications beyond the machine’s system API. You can also add a feature to your sandbox that searches for and verifies traces of malicious code at runtime.
-
Add kernel analysis.
While most sandbox solutions operate in user mode, some types of malware are designed to inject malicious code into the kernel space (rootkits or drivers) and thus escape sandboxing. For instance, the early versions of Turla malware loaded and exploited a vulnerable VirtualBox driver and disabled checks for signed driver loading. Thus, by adding kernel analysis to your solution, you can prevent malware from moving into the kernel.
-
Implement machine learning.
Malware analysis based on machine learning algorithms can effectively detect sandbox evasion techniques in malware code before it executes. Machine learning algorithms can analyze every act of malware inactivity or sleep as a signal of an evasion technique. Moreover, it can collect millions of other signals that collectively can detect malicious code.
-
Consider content disarm and reconstruction (CDR) as an extra security layer.
CDR is often considered the opposite of sandboxing, but it may serve as an add-on to other security solutions. This technology removes all active content from a file and provides a user with a sanitized document. It allows you to instantly prevent malware hidden in documents, yet there’s a risk of getting corrupt files containing scripts (such as Office macros written in JavaScript) even though they’re not malicious.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM