How Sandboxes are being easily bypassed, and what’s next.
Why were Sandboxes Created?
Until the early 2000’s Anti-Virus software (AVs) were dominant. With signature-based anti-viruses, URL reputation engines and threat intelligence, companies were covered against most attacks. However, these security measures were reactive. Signature detection (looking for patterns identified in known instances of malware) or reputation lookup (looking for known malicious sites) detect only previously identified threats. Around 2005, a new type of threat emerged that was hard to detect with static methods: the Advanced Persistent Threat (APT). APTs are custom-developed, targeted attacks using a set of stealthy and continuous hacking processes. They are inherently designed to evade typical detection methods. To protect against this new type of threat, sandboxes were invented and added to the cyber-security toolbox as an added layer of protection.
How Does Sandbox Technology Work?
Sandbox protection is behavior-based, providing the malware with a place to “play” and waiting to see what it is going to do. The Sandbox profiles malware behavior by letting it reach the shellcode execution stage – a technique well known to attackers. Presumably, even if it doesn’t have a signature or reputation, it will expose its true intentions in the sandbox. The value proposition for sandboxes was great over 10 years ago and genuinely had a strong ability to stop APTs. But as we all know in the cyber world, attackers find ways to get around solutions, including malware bypassing sandboxes, and it is clear that now there are many well-known means by which to do so.
Common Sandbox Evasion Techniques.
There are many creative ways for malware to evade sandboxes, all of them having the same rationale: the malware wants to prevent the sandbox from executing the malicious code and detecting it. It therefore leverages methods to either detect the environment it runs in, understand system behavior or identify user interactions. It executes its malicious code only once it knows it is outside the sandbox and onto the end-user’s computer. Some common means of evading and bypassing sandbox detection are:
- Detection and awareness of the sandbox environment
- Abusing sandbox limitations
- Context-aware malware
Sandbox Environment Detection.
Sandboxes are designed to mimic to the best of their ability the end-user’s real environment. However, there are various ways in which the virtual environment looks different from an end user’s system, which help malware to identify it is running inside a sandbox. Malware may try to find out if it’s running in a virtual environment or may check for the signature of a vendor’s sandbox. The sandbox’s fingerprints can be specific configuration files, executables, processes, registry keys, services, network device adapters etc. Once a malware detects a virtual environment it avoids running any malicious code until safely on the other side. Examples of techniques attackers use to detect the sandbox environment:
- Core Count: A malware looks for discrepancies between virtual and physical systems, such as the number of CPU cores.
- Running Processes and Services: A malware checks the availability of antivirus programs by looking for active processes (e.g., vmusrvc.exe) in the operating system. The Client Maximus, a malware released in 2017 to attack Brazilian banks looks for installed programs using a stealthy driver.
- Connected Devices: A malware looks for devices installed on the infected system (e.g., printer), a lack of such devices indicates a sandbox.
- Files: A malware looks for files in the system typical of a sandbox or a real environment. Locky ransomware, released in 2016, requires the use of run32dll.exe (a DLL not available in a sandbox) to execute an infected encrypted DLL.
Abusing Sandbox Limitations.
As sophisticated as a particular sandbox might be, malware authors can often find and exploit its weak points and limitations Examples of techniques attackers use to abuse sandbox limitations:
- File Size. A malware uses a large file size that the sandbox can’t process.
- File Format. A malware uses an obscure file format not recognized by the sandbox.
- Time. A sandbox typically analyzes a file for 7 to 20 minutes. A malware can just go to sleep and wake up during that processing time.
- Botnet Command and Control Window. A malware drops a clean file that connects to a URL or IP address that can download a file on command, hours, days or weeks later.
- Data Obfuscation and Encryption. A malware changes or encrypts its code and communications so that the sandbox can’t analyze it. The Trojan Dridex, encrypted API calls so that traditional malware sandboxes can’t read them. The Andromeda botnet used several keys to encrypt its communication.
The Sandbox Killer.
While being very innovative at the time, sandboxes have become just another semi-efficient component against cybercrime as they are no longer effective protection against APTs and zero-day attacks. Perception Point uses a different approach for protecting against APTs and zero-day attacks, in a much more deterministic way that doesn’t wait for the malicious content to actually detonate. Our HAPTM (Hardware Assisted Platform) x-rays code rather than checks behavior to detect the use of exploit techniques before malware is even delivered (e.g., when it gets out of the valid execution flow to check the environment). It consists of 3 algorithmic layers:
- CFG – records the CPU while it processes the input (files and URLs) and identifies exploits by examining the entire execution flow – detecting any deviation from the normal flow of a program in order to deterministically identify malicious activity.
- FFG – detects advanced techniques such as exploits that are written to bypass common CFI algorithms. Proprietary semantic aware control flow graphs developed for each application identify deviations of the execution flow during runtime.
- Dropper – employs advanced heuristics-based engine for detecting logical bugs and handling macros and scripts.
On top of that Perception Point applies additional layers to detect evasion techniques:
- Recursive Unpacker – unpacks any e-mail into smaller units (files and URLs) to identify hidden malicious attacks. It further extracts embedded URLs and files (recursively) by unpacking files and following URLs. All of the extracted components go separately through all engines.
- Anti-evasion Engine – strips any macro technique to check the actual possible attack behind it.
In cybersecurity there is no holy grail that catches all threats. However, it does not mean you should compromise on systems that are clearly very easy to evade today. You should aim for a deterministic and holistic multi-layered solution, that is able to be rapidly updated as new techniques emerge. To learn more about our solution, Click Here
you may also like
Connect with our team to:
* Learn more
* Get a live demo
* Get a quote
* Set up a free 30 day trial
We will respond to your enquiry within 24 hours.