Talking about sandbox

In the past decade or so, the analysis of malware sandbox escape technology has become a silver bullet against high-level persistent threats, although this technology Become more and more popular, but malware developers seem to have found a static analysis based on the method (such as encryption , confusion and anti-reverse protection and other technologies) to avoid the traditional anti-virus security tool detection. Therefore, the analysis and research on the malware sandbox escape technology has become the last line of defense against our high-level persistent threats.

This series of articles mainly describes the current use of malicious software sandbox escape technology, the series points up and down, and will be a detailed analysis of the current three categories of mainstream sandbox escape technology.

Sandbox technology

In fact, the sandbox is a virtual system environment similar to the shadow system , it has a deeper level than the host virtual machine system kernel level technology. It can take over the function of malware to call interface or function behavior, and confirm the virus behavior after the implementation of the rollback mechanism, and let the system to maintain a clean state. It can be used to analyze and test programs that are untrustworthy, destructive, or unable to determine their true intent, and that all changes in the sandbox do not have any effect on the host operating system. Generally speaking, people who use this technology are generally in the field of computer information security professional and technical personnel, especially the anti-virus industry.

The working mechanism of the sandbox is very simple: how to determine whether a document is a malicious document? The sandbox will observe the behavior of the document in a controlled environment, and then judge it based on the analysis of the document Whether it has malicious behavior. The sandbox allows malware to perform all of its malicious functions in a controlled environment and record malicious behavior. After a period of observation, the analysis terminates and the sandbox treats the analysis as a typical malware Behavior mode to scan and detect this malware. Because the sandbox is no longer based on signatures to detect malware, it can even detect certain targeted or previously unwanted malware.

Obviously, behavior-based malware detection technology will only work if the observed file actually performs its malicious behavior in its analysis. If the target does not perform malicious behavior during the analysis, the sandbox will think that the file is friendly. Malware developers will continue to seek more innovative ways to hide the real behavior of malicious software, and to avoid sandbox detection. Here we divide these methods into the following three categories:

1. Sandbox detection: detection of the existence of sandbox (in the detection process only show friendly behavior);

2. Use sandbox vulnerability : the use of sandbox technology or the target environment in the presence of security flaws;

3. Context-Aware-based malware: the time / event / environment to judge, and in the sandbox analysis process will not be exposed to malicious behavior;

Sandbox detection

First of all, the first method of detecting sandboxes is to distinguish the nuances between the sandbox environment and the real target system. If a sandbox is detected, there are usually two ways to deal with malware: to immediately terminate the malicious behavior; only show friendly behavior, without performing malicious operations. We give an example here [the details of the light I], this sample has the following two characteristics:

1. Try to use the test to determine whether the current operating environment is a virtual machine (VM);

2. Detect whether the current environment has a sandbox application running (for example, Sandboxie)

 

We can learn from the details provided by the VMRay Threat Identification Service (VTI) that the VMRay discovery target will attempt to perform sandbox detection and mark this behavior as “highly suspicious”.

Use sandbox loopholes

The second approach is to use the underlying sandbox technology or target system environment in the security flaws to directly attack. For example, we recently found that there are a lot of malicious software use within Microsoft COM components , because most of the sandbox analysis of this sample can not be correct. Another kind of malware will confuse the file format and type, and let the sandbox can not handle such files properly. For example, an attacker could have a malicious file that exceeds the maximum file size that the sandbox can support, and the sandbox will not be able to parse such files.

We give you an example of “I’m getting it,” the malware will try to avoid using the API to avoid sandbox detection, and this method can be used to effectively avoid those based on the driver and function hook sandbox analyzer The But VMRay does not use the hook function, so this malicious software to avoid the sandbox detection attempt was detected and recorded:

 

Context-aware software (Context-Aware)

The third type of method used by malware does not actually attempt to detect or attack the sandbox, which takes advantage of the inherent flaws inherent in this automation system. Because most security detection environments and sandbox analysis systems do not take much time to analyze certain special malware, this malware can only avoid delays in malicious Payload execution time to effectively avoid sandbox detection. In addition to this time-based triggering condition, malware can also use events that typically do not occur in sandboxed environments, such as system reboots and user interactions. It should be noted that some malicious software will search the target device in some special tools, such as an application and localization settings, etc., interested in this part of the students can refer to this article.

In this sample analysis results, we can see that, in addition to trying to detect the virtual machine environment, this malware sample will also be through the installation of scripts and applications to achieve persistent infection: