Sandboxing cyber security solutions are predicated on opening files in a ‘controlled environment’, while monitoring the file’s actions – api calls, file access, network, to characterize it’s behavior and determine if its malicious.
With their rising popularity attackers have developed sandbox evasion techniques including simple ‘sleep’ modes to avoid scan detection, to more sophisticated evasions that include sandbox presence detection, where malware runs ‘clean’ code in the event of sandbox detection, or malware mouse movement detection that simulate human interaction to deceive sandboxes.
Evasion techniques that emulate human behaviour are employed to check whether the machine is physical or virtual. These evasion techniques include:
Checking popular ports (VMware for example) to see if they are taken, reading vendor mac addresses, which is a hardcoded unique identifier, or CPU id, which provides malware with processor details or reading of registry values of known hypervisors or sandboxes.
In addition most sandboxes employ very ‘weak’ machines characterized by low processor counts, ram, etc, making it possible for malware to distinguish between an actual computer or a sandbox. This includes reading sandbox specific dlls/files/processes that can be used to identify the sandbox. Or surveying the environment to see if it’s a real machine – lack of USB ports, small hard drive, no personal files, no mail client and more.
Specific techniques are then designed to evade an identified sandbox.
An Interesting example of a sandbox evasion posted by LastLine uses ‘GetProcessAffinityMask’ to discover the number of cores in the system and avoids the need to check that value using wmi or parsing PEB, a known evasion tactic.
For example Cerber ransomware employs API calls that sandboxes monitor (using hooks) with ‘bad’ parameters to analyze their impact. In a monitored environment these calls will typically cause a crash, while in non-monitored environments, the exception handler enables the code’s execution, unhindered.
Another example is Locky ransomware. Authors of this ransomware execute their malicious code when documents are closed, to evade detection.
Sandbox aware code is another evasion technique where malware employ ‘time bombs’ to dynamically modify sleep duration and extend malware analysis timeslots using methods such as NtDelayExecution, among others time bomb evasions.
As a dynamic solution, sandboxes offer a means of effectively scanning a file, to detect malware, but they remain susceptible to evasion.
BitDam ‘Proactive Cyber Security’ offers an alternative approach to advanced malware that can prevent sandbox evasions, or replace sandboxes altogether.
BitDam immediately blocks alien attacker code, before execution – whether it’s checking for a sandbox as part of an evasion technique, or while trying to encrypt personal files. By ensuring that only valid code is running on the machine, at all times, BitDam secures against attack malware execution, at their source, before code is executed.
This makes sandbox evasions moot. With BitDam, regardless of when and where code is executed, if there is an attempt to run alien code the attack is immediately blocked.