Defeating Sandbox Evasion: How to Increase Successful Emulation Rate in Your Virtualized Environment

At the Virus Bulletin conference yesterday in Denver, Check Point researchers Stanislav Skuratovich and Aliaksandr Chailytko gave a talk detailing how cyber security professionals can defeat sandbox evasion. In case you weren’t able to attend the conference, we’ve provided a summary of their presentation below.

The malware world is a dynamic one. As soon as sandboxes appeared, malware writers began looking for ways to circumvent them. As part of the endless cat and mouse game, we endeavor to keep users protected by identifying and blocking any attempt to evade sandbox detection.

Sandboxes are special virtualized, sterile environments used by researchers and advanced security products to analyze file behavior, and detect any malware trying to hide in it. Cyber criminals have created elaborate malware that attempt to detect whether or not they are in a sandbox. To do so, malware authors employ several major techniques, which were detailed in the talk. Once the malware detects that it is running in a sandbox environment, it initiates one of the following fake behaviors:

  1. Terminate its execution to conceal it existence and avoid further research of the malware, which could lead to better detection.
  2. Perform non-malicious activity to mislead researchers, providing false information about the true nature of the malware.
  3. Exhibit deceptive activities by accessing, for example fake domains or IPs, to generate leads that are not relevant to the malware’s real activity.

Using these three tactics may allow malware to evade detection by sandboxes. In some cases, the malware aborts its operation all together. In other instances, it can continue to attack the user after bypassing the sandbox.

To bypass a sandbox in the first place, the malware has to identify that it is running inside one. Malware writers often make use of bugs in the sandbox’s code for this purpose, like in the case of Cuckoo Sandbox. The Cuckoo Sandbox is a leading open source automatic malware analysis system, which is widely used in the world of security. Nearly all of the largest players on the market, including VirusTotal and Malwr, use Cuckoo Sandbox as a platform to perform automatic behavioral analysis. Stanislav and Aliaksandr also described several bugs in virtual environments and hypervisors, which allow malware to detect the sandbox environment, as well as possible solutions for these issues.

To learn more about sandbox evasion, download Alexander and Stanislav’s whitepaper, Defeating Sandbox Evasion: How to Increase Successful Emulation Rate in your Virtualized Environment.