The Flu Bug Isn’t the Only Thing Morphing. Check Out the Latest Sandbox Evasion Techniques…
Each year the Centers for Disease Control (CDC) observes the global trajectory of flu viruses, predicts which strains are likely to be most dangerous in the coming year, and prepares a vaccine to help millions of people mitigate illness risks. It’s not unlike what IT security researchers do in their efforts to understand malware and create security defenses.
According to the CDC, the influenza virus has mutated in unexpected ways and, as a result, this season’s vaccine only provides partial protection. Well, I hate to be the bearer of alarming news, but a similar phenomenon is occurring with malware. Sandboxing technologies that were once effective at identifying threats are now well known by cybercriminals. These cybercriminals are discovering ways to avoid containment and detection within sandboxes using sophisticated evasion techniques.
Containing Malware: Isolation Is the Best Medicine
Sandboxes are a lot like the Petri dishes medical researchers use in that they observe behavior of viruses and other potentially harmful creations in safe, controlled environments. Their ability to identify new or previously unknown malicious code has made them popular in today’s security architectures.
Looking at Sandbox Evasion Techniques under a Microscope
Any time security researchers gain the upper hand with attack defenses, cybercriminals focus on finding a work-around. It’s an ongoing battle as both sides use any means necessary, including using each other’s tools and tactics to gain the advantage. Here’s a quick look at a few techniques used by attackers to evade sandbox detection, or at least attempt to:
Delayed Onset. In this example, attackers delay execution – from minutes to days – to hide the malware’s characteristics, allowing it to pass inspection by the sandbox. While this technique may still fool some sandboxes, certain techniques can be employed to force the lethargic code into instantaneous execution and detection.
Diagnosing the Sandbox. Another clever tactic is to scan for virtual machine registry keys, running processes, disk size, remote communications or other characteristics that would identify the sandbox environment. Clearly, there are techniques sandboxing products can employ to attempt to fool malware, but these are just short-term workarounds. It is well known that static code analysis provides the most effective detection.
Checking for a Human Pulse. Unfortunately, users are still the weakest link in the security chain, and cybercriminals continue to exploit this fact. Another attack method uses behavioral monitoring to detect human interaction on the computer before malware executes. Random activities such as page scrolling, mouse movement or mouse clicks are difficult to replicate by a virtual environment. If the malware suspects unnatural behavior, it exits to avoid detection.
The Best Course of Treatment: Behavioral Monitoring + In-depth Static Code Analysis
Observing suspicious behavior while containing potential malware within a sandbox is a valuable technique. However, it’s not enough to accurately diagnose malware when the malware itself alters its behavior in real time to avoid detection. Just as in medicine, one must understand historical information, in addition to any altered behavior. Security vendors leverage their wealth of knowledge in order to classify and track malware families, and this is where experience is key as this is crucial in the detection process. Further, additional information such as malicious websites, email addresses, IP addresses, and more, are also useful in the detection process. This is where having a solid and comprehensive reputation database comes in handy.
Should suspect malware pass dynamic sandboxing, full static code analysis goes a step deeper by unpacking the code, requiring sophisticated disassembly of the actual file, and parsing it to analyze every execution path. Of course, today’s hackers not only compress their code, but even go one step further by encrypting text strings, including URLs. However, this is where the power of a full static code analysis shines. It can discover camouflaged, malicious websites and IP addresses. Once unpacked and decrypted, it’s possible to perform code and function comparisons to identify a potential relationship with a known malware family.
The key to an effective static code analysis module is to quickly identify what code to analyze. Remember, hackers often modify previous code variants, even slightly, with the goal of masking their attack to evade detection, so any static code analysis must be able to identify these techniques.
Prevention Is the Best Cure
As you can see, cybercriminals are getting increasingly sophisticated in their efforts to outsmart security defenses such as sandboxing. But, rest assured, the ongoing detection/evasion battle continues with many security technologies getting smarter by the moment and increasingly more difficult to evade. My advice for concerned organizations? While behavior-based monitoring is a good start, ensure that your solution of choice is capable of more than simple observation. Solutions must combine behavioral observation with advanced static code analysis to accurately detect new malware threats and evolving sandbox evasion techniques. Make sure your sandboxing technologies include these capabilities.
Best wishes for a healthy, outbreak free 2015.