- Sandbox security methods involve the use of a virtual machine to observe malware behavior.
- This method may be used in a variety of ways and has evolved significantly over the years.
- It’s important to understand the ways that malware attempts to evade sandbox detection.
In our previous post on network honeypots, we discussed an important defensive strategy that uses this simulated server to trap unsuspecting attackers. Sandbox security is a complement to this strategy.
The idea, as with honeypot network security, is relatively simple to explain but difficult to execute. It involves a special virtual machine that is kept in isolation from the rest of your network resources. Its sole purpose is to be a miniature laboratory to observe malware behavior. Security researchers have been using such sandboxes to analyze malware for many years. Because the sandbox is a controlled environment, its code can be dissected line by line without worrying about potential harm to other computers.
The Evolution of Sandbox Security
The sandbox concept began to be incorporated into various anti-malware scanning tools about a decade ago: as part of their scanning process, a new piece of malware would automatically be analyzed by the tool (either in the cloud or on a specialized server) and a verdict offered before it could be executed by the endpoint. (Here is a 2013 article in CSOonline as an example.) One service is URLscan.io, which is a free website scanning service. It navigates through the site mimicking an ordinary user and reports on any malicious activity it finds.
The natural evolution of this strategy is seen with vendors such as VMRay and JoeSecurity.org who specialize in building various sandboxes that can perform automated and deep analysis of malware. JoeSecurity’s tools can be integrated into endpoint protection products such as Carbon Black and Sentinel One along with a variety of threat intelligence products and security orchestration tools. If you are in the market for these tools, you should examine the sandbox claims carefully.
Sandboxes have been also used by developers for other purposes than just security over the years. For example, a programmer will use it to test the operations of a new routine or application, without having to be concerned that the code will destroy data or cause a computer to crash. Once this code has been properly vetted and the various problems resolved, it can be released into the normal production stream.
Sandboxes are also used in a growing number of commercial applications, most notably the protected web browser. Thanks to attacks such as man-in-the-middle, script injections, and phishing attacks, malware can enter a computer from browsing these infected web pages. Accordingly, a number of vendors (such as Authentic8, Citrix’ Secure Browser and Sandboxie) now offer specialized browsers that can be used instead of Chrome or Safari that run all web code in a sandbox. If you run an infected link, you don’t have to worry that your computer will become compromised.
Enter the Evasive Era
Like much in the security industry, the sandbox has become part of the cat-and-mouse game of attackers trying to get around this analysis. As malware authors have become better at hiding their routines, they have also developed ways to look for those specific “tells” that they are running inside a sandbox.
This is just a more sophisticated way that malware can avoid detection, such as by naming their variables with obscure labels or staging different pieces of the malware or by running existing pieces of code already found in the operating system in a computer’s memory. Let’s review some of their sneakier methods at sandbox detection and how a typical piece of malware will try to find these items. If these are discovered, the malware generally stops running.
- Running with very minimal and atypical hardware configurations. The early sandboxes tried to skimp on virtual hardware, such as using small screen resolution, did not have support for USB 3.0 and other drivers, lacked any 3D rendering capabilities, ran with only one virtual CPU and had a small hard disk and memory capacity. That was usually a sure giveaway that it wasn’t an actual PC with a live user.
- Minimal software load. Most sandboxes also tried to skimp on the installed software, such as forgoing any Instant Messaging and mail clients or other common applications and don’t have a default printer installed.
- No actual user history. “Conventional sandboxes were never designed to emulate user behavior and malware was coded with the ability to determine the discrepancy between the automated and the real systems,” said one blog post by McAfee about sandbox evasion techniques. The typical sandbox usually is just created, so it has limited network or browsing history and no stored cookies. Also, it usually is a “clean machine” with no files on the desktop, and no record of any recent files accessed.
- Search for virtual machine (VM) artifacts. Every VM uses various files, registry variables, specific hard drive labels and other things to configure and run in a host computer. One of the more interesting malware queries is to find out the ambient temperature of the CPU, something that VMs don’t normally report on.
Delay execution. This is a favorite of many malware routines. Because sandboxes examine what happens in real-time, many of the early sandboxes wouldn’t wait around to see what happened after a few minutes of loading the malware sample. So the malware authors built-in automatic delays into their routines, in the hopes that by then the sandbox would have given them a stamp of approval.
It’s important to be aware of these evasive techniques and to design new sandbox security strategies or adjust existing ones accordingly.
Network Solutions is Here to Help
Sometimes, the right cybersecurity solution can make all the difference, by taking some pressure off of you as an IT professional or organizational decision-maker. From website security and SSL to our convenient and affordable Cyber Security Solution, our team has your back. Just let us know how we can assist you.
Productions Mentioned in This Blog Post Include:
Image Credits: McAfee