The sophistication of today's threat landscape means traditional sandboxes no longer provide an effective defence. Cyber criminals are writing malware that can determine when it is running in a sandbox and alter its behaviour to elude detection.
In a recent report, "Hot Knives Through Butter: Evading File-based Sandboxes", network security company FireEye says sandboxes, or virtual environments that monitor the behaviour of files as they execute, can only monitor and report file activity, not analyse it, and threat actors are coming up with new ways evading them, leaving systems open to attack.
Human interaction
Attackers are now creating malware that lies dormant until it picks up signs of human interaction, such as the click of a mouse or intelligent responses to dialogue boxes, says FireEye.
Some malware will establish communication with command and control servers only once it has detected a click on the left mouse button; other malware will use dialogue boxes to detect human interaction, only activating after the user clicks a button.
Sandboxes are configured to a defined set of parameters, which limits their ability to mimic the physical machines they are protecting. Cyber crooks are learning to sidestep these configurations.
Because sandboxes will monitor a file for a short while, before moving on to the next file when they pick up no anomalous behaviour, malware authors are adding "extended sleep calls" to the malware, which essentially outwaits the sandbox. In addition, cyber crooks are using time triggers ??' sleep API calls that execute malware only after a specific date and time.
Environment
Most sandboxes, says FireEye, have "telltale characteristics, enabling attackers to include features into their malware that check for these virtual environments".
A lot of malware is designed to only execute in certain versions of applications or operating systems. According to FireEye, if the given configuration lacks a particular combination of operating systems and applications, some malware will not execute, and will evade detection.
"File-based sandboxes are no silver bullet against sophisticated attackers," concludes FireEye. While sandboxes are a good tool for monitoring file behaviour, they are only a tool. Today's threats need a combination of behaviour-based and static analysis, together with a better understanding of how individual pieces of an attack work together, to help bridge the security gap, it says.
Share