Sandboxes Are Not Foolproof
Sandboxing cyber security solutions are based on opening files in a ‘controlled environment’. As such they monitor file actions – api calls, file access, network – to characterize their behavior and determine if they’re malicious.
Popular evasion techniques
Since Sandboxes became more popular, attackers have developed sandbox evasion techniques. Some of those techniques are simple. For example, ‘sleep’ modes to avoid scan detection. But attackers also use more sophisticated evasions such as sandbox presence detection, where malware runs ‘clean’ code in case a sandbox is detected. Another example is malware mouse movement detection which simulates human interactions to deceive sandboxes.
Evasion techniques that emulate human behaviour are used to check whether the machine is physical or virtual. Here are some examples:
- Checking popular ports (VMware for example) to see if they are taken
- Reading vendor mac addresses, which is a hardcoded unique identifier
- Reading CPU id, which provides malware with processor details
- Reading of registry values of known hypervisors or sandboxes
In addition, most sandboxes employ very ‘weak’ machines, characterized by low processor counts, ram, etc. This too, makes it possible for malware to distinguish between an actual computer and a sandbox. This includes reading sandbox specific dlls/files/processes that can be used to identify the sandbox, or surveying the environment to see if it’s a real machine. Lack of USB ports, small hard drive, no personal files, no mail client and more can indicate that this is a sandbox. Once the malware identifies that this is a sandbox, specific techniques are then designed to evade detection.
Examples from the field
- An interesting example of a sandbox evasion posted by LastLine uses ‘GetProcessAffinityMask’ to discover the number of cores in the system and avoids the need to check that value using wmi or parsing PEB, a known evasion tactic.
- Cerber ransomware employs API calls that sandboxes monitor (using hooks) with ‘bad’ parameters to analyze their impact. In a monitored environment these calls will typically cause a crash, while in non-monitored environments, the exception handler enables the code’s execution, unhindered.
- Locky ransomware. Authors of this ransomware execute their malicious code when documents are closed, to evade detection.
Sandbox aware code is another evasion technique where malware employ ‘time bombs’ to dynamically modify sleep duration and extend malware analysis timeslots using methods such as NtDelayExecution, among others time bomb evasions.
As a dynamic solution, sandboxes offer a means of effectively scanning a file, to detect malware. Unfortunately, they remain susceptible to evasion.
BitDam ‘Proactive Cyber Security’ offers another approach to protect against advanced malware. BitDam blocks alien attacker code, before execution. Whether the code aims to check for a sandbox as part of an evasion technique, to encrypt personal files or perform any other malicious activity, BitDam detects it. By ensuring that only valid code is running on the machine, BitDam secures against attack malware execution, at their source, before code is executed. This makes sandbox evasions moot. With BitDam, if there is an attempt to run alien code the attack is immediately blocked, regardless of when and where code is executed.
You can try it yourself here.