Hot Knives Through Butter: Evading File-based Sandboxes
Sandboxes provide isolated, virtual environments that monitor the actual behavior of files as they execute. In theory, this setup enables security professionals to spot malicious code that evades traditional signature-based defenses.
But sandboxes are only as good as the analysis that surrounds them. By themselves, sandboxes can only monitor and report file activity, not analyze it. And unfortunately for organizations that rely on them, the file-based sandboxes used by many vendors are proving oblivious to the latest malware. Attackers are using a variety of techniques to slip under the radar of these sandboxes, leaving systems just as vulnerable as they were before.
This report details the following categories of sandbox-evasion techniques:
* Human interaction – mouse clicks and dialog boxes
* Configuration-specific – sleep calls, time triggers, and process hiding
* Environment-specific – version, embedded iframes, and DLL loaders
* VMware-specific – system-service lists, unique files, and the VMX port