How Sandboxes are being easily bypassed, and what’s next.
Until the early 2000’s Anti-Virus software (AVs) were dominant. With signature-based anti-viruses, URL reputation engines and threat intelligence, companies were covered against most attacks. However, these security measures were reactive. Signature detection (looking for patterns identified in known instances of malware) or reputation lookup (looking for known malicious sites) detect only previously identified threats.
Around 2005, a new type of threat emerged that was hard to detect with static methods: the Advanced Persistent Threat (APT). APTs are custom-developed, targeted attacks using a set of stealthy and continuous hacking processes. They are inherently designed to evade typical detection methods. To protect against this new type of threat, sandboxes were invented and added to the cyber-security toolbox as an added layer of protection.
Sandbox protection is behavior-based, providing the malware with a place to “play” and waiting to see what it is going to do. The Sandbox profiles malware behavior by letting it reach the shellcode execution stage – a technique well known to attackers. Presumably, even if it doesn’t have a signature or reputation, it will expose its true intentions in the sandbox.
The value proposition for sandboxes was great over 10 years ago and genuinely had a strong ability to stop APTs. But as we all know in the cyber world, attackers find ways to get around solutions, and it is clear that now there are many well-known means by which to do so.
There are many creative ways to evade sandboxes, all of them having the same rationale: the malware wants to prevent the sandbox from executing the malicious code and detecting it. It therefore leverages methods to either detect the environment it runs in, understand system behavior or identify user interactions. It executes its malicious code only once it knows it is outside the sandbox and onto the end-user’s computer.
Some common means of evading sandbox detection are:
Sandboxes are designed to mimic to the best of their ability the end-user’s real environment. However, there are various ways in which the virtual environment looks different from an end user’s system, which help malware to identify it is running inside a sandbox. Malware may try to find out if it’s running in a virtual environment or may check for the signature of a vendor’s sandbox. The sandbox’s fingerprints can be specific configuration files, executables, processes, registry keys, services, network device adapters etc. Once a malware detects a virtual environment it avoids running any malicious code until safely on the other side.
Examples of techniques attackers use to detect the sandbox environment:
As sophisticated as a particular sandbox might be, malware authors can often find and exploit its weak points and limitations
Examples of techniques attackers use to abuse sandbox limitations:
While being very innovative at the time, sandboxes have become just another semi-efficient component against cybercrime as they are no longer effective protection against APTs and zero-day attacks.
Perception Point uses a different approach for protecting against APTs and zero-day attacks, in a much more deterministic way that doesn’t wait for the malicious content to actually detonate. Our HAPTM (Hardware Assisted Platform) x-rays code rather than checks behavior to detect the use of exploit techniques before malware is even delivered (e.g., when it gets out of the valid execution flow to check the environment).
It consists of 3 algorithmic layers:
On top of that Perception Point applies additional layers to detect evasion techniques:
In cybersecurity there is no holy grail that catches all threats. However, it does not mean you should compromise on systems that are clearly very easy to evade today. You should aim for a deterministic and holistic multi-layered solution, that is able to be rapidly updated as new techniques emerge.
To learn more about our solution,
Perception Point’s platform recently caught an advanced threat directed at one of our customers within a Microsoft Word file.
Over the years organizations have implemented multi-layered approaches to protect their email, due to the fact that no single solution has provided sufficient results.
In this series of posts we’re going to demonstrate how modern CFI implementations can be circumvented.Show More