Of Volkswagens and malware sandboxing

So everyone knows about the VW emissions scandal. Software in the car’s engine management system can detect when an emission test is being carried out (a give-away clue is when the vehicle is on a dynamometer), and reduce engine performance in order to provide better emissions test results. Malware developers use a similar technique to evade file-based sandbox detection methods.

As detection rates from signature-based anti-virus scanning has deteriorated dramatically over the years, AV companies have searched for other methods of detecting malware. The most popular alternative method is to run the suspect file in a sandbox – a virtual-machine environment – and to examine the behaviour of the file as it executes. Depending upon the file’s behaviour such as its interaction with the operating system, a determination is made whether it is malicious or not.

However, in the cat-and-mouse game of malware development and detection, these days, most sophisticated malware is designed to detect whether it is executing in a sandbox environment or not. If it is, then the malware simply goes into sleep mode, ensuring that it exhibits no malicious behaviour that would trigger an alert. In order to thwart sandbox detection techniques, the file only acts maliciously when executed in a normal operating environment. Two FireEye researchers, Abhishek Singh and Zheng Bu, described typical ways in which malware can detect a virtual-machine sandbox environment: it notices an absence of human interaction such as a mouse click or scroll action, and it detects common sandbox configurations or characteristics.

Another sandbox evasion technique is for the file to simply sleep for a while before performing actions that would be considered malicious, in all environments. Malware detection using sandboxing will only analyse the file for a limited period of time before making a definitive conclusion about the malicious nature of the file. By sleeping malicious actions for a period, malware can ensure detection times out.

Going to the next step in the cat-and-mouse game, SANS describe ways of detecting suspicious sandbox-detection-and-evasion methods. So rather than looking for a file signature, the method looks for sandbox evasion behaviours. However, there are difficulties with false positives, and there are always measures which malware can take to counteract these detection methods. Malware detection always comes down to a cat-and-mouse game of detection methods and counter-measures.

Symantec recently launched their new flagship enterprise product – Advanced Threat Protection (ATP). Its leading new feature is Cynic – sandbox detection of malware. In order to get around the sandbox evasion methods touched on in this article, Symantec’s Cynic has a cloud-based sandbox where enterprises can replicate their local environment to trick malware that it is not executing in a virtual-machine environment. If malware simply delays execution of malicious actions in all environments, while detecting clock speed-ups, it will easily frustrate this cloud-based sandbox detection. This is just one more move in the cat-and-mouse game – in no time cloud-based sandboxing will be as ineffective as traditional signature-based file scanning.

In order to escape the cycle of cat-and-mouse manoeuvrings, Symantec need to be far more creative and incorporate more effective anti-malware methods that protect data in the presence of malware rather than rely on detection and eradication.

Leave a Reply

%d bloggers like this: