If you are of a certain age, you might remember Mad Magazine’s satirical Spy v. Spy comic strip in which two agents – one dressed completely in white and the other in black – would try and outwit and annihilate each other on a weekly basis. Malware authors and the malware researchers can no doubt relate as they too are locked in a perpetual game of evasion and detection. In this post which is condensed from a SANS webcast VMRay’s Solutions Engineer Ben Abbott is joined by Sr. Research Analyst Tamas Boczan and Threat Researcher Pascal Brackmann detail some of the innovative techniques that malware authors employ to evade sandbox detection and show through real-world examples the steps defenders can take to mitigate these tactics.
Know Your Enemy
“The best way to monitor the behavior of a suspicious file without affecting a production system is to leverage a sandbox and then execute that file inside a controlled and monitored environment,” explains Ben as he kicks off the webinar. Any experienced malware author recognizes this and must continuously identify new ways to avoid detection. It is necessary for security researchers to analyze and deconstruct evasive techniques.
Adds Ben, “over the years, the research team at VMRay has identified a collection of different sandbox evasion techniques used by malware which we can group into three broad categories: detecting the sandbox, defeating the sandbox, and context-aware evasion techniques.”
Sandboxes have become critically important tools that not only protect the network and users from malicious software but also helps us understand how threat actors are evolving their own techniques. To be truly effective though, a sandbox must be integrated with other IT tools in order to close the feedback loop and continuously improve how your organization can respond to an evolving threat landscape.
Detecting the Sandbox
Malware authors understand that their payload will be dead on arrival if it detonates in a sandbox. Thus, the first thing any piece of effective malware sample will be programmed to do is to identify the hallmarks signals of a staged environment.
As Ben explains, “most malware strains nowadays will first check to see if it’s running in a virtualized environment since almost all sandboxes use a virtual machine. It’s also become common for it to check things like the registry, the MAC address to see if it’s running on bare metal or inside a VM – we’ve even seen certain strains check attributes like the fan speed or the temperature of the system to see if it gets any feedback because it obviously wouldn’t if it was on a virtualized environment.”
Sandboxes have improved their ability to mask that they are inside of a virtualized environment. In addition, more organizations are moving towards virtualization environments for their live production environments. “If you’re limiting to only run on bare-metal machines, you’re going to limit the malware from executing on what otherwise would be a valid victim’s machine,” says Ben.
Another trick that malware can use to detect a sandbox is to see if it’s running inside an unrealistic environment with some strains programmed to perform checks on specific vendors such as Sandboxie, the recently open-sourced application sandboxing program for Windows or the Wine compatibility layer. Malware authors will also perform a variety of checks to determine if the environment is realistic, looking at things like whether USB drives or printers are connected or if a mail client is present.
VMRay’s Sr. Threat Researcher Tamas Boczan and Threat Researcher Pascal Brackmann walk us through real-world examples of malware sandbox detection with analyses of Formbook and GuLoader.
Defeating the Sandbox
Transitioning to the next category of sandbox evasion techniques, defeating the sandbox. This category of evasions exploits inherent weaknesses of the monitoring technology used by many sandboxes, or their underlying ecosystem.
One of the ways by which malware works to defeat the sandbox is through a technique known as hook evasion or hook circumvention. As Ben explains, “hooking evasion is used by malware authors to detect or remove hooks or can evade the hooks with unaligned API calls.” A well-known example of hooking evasion that Ben points to is the open-source sandbox evasion tool anticuckoo.exe, which is able to detect hooks created by a popular open-source sandbox, and many of its commercially available derivatives. Malware can use the same techniques implemented in Anticuckoo to find the hooks. After it found the hooks, one of the malware’s options is to fall back to the previous sandbox evasion category: simply shut down because it detected the sandbox. But now that it identified the hooked functions, the malware is also able to take a stealthier approach: remove the hooks, and continue execution unmonitored.
Malware can also delay its execution since typically a sandbox is set to run for only a short period of time. Beyond delaying its execution, malware can also exploit weaknesses of the sandbox ecosystem: it might exhaust hard disk, RAM or CPU resources, or use API hammering.
Tamas then runs through another real-world example of how Formbook tries to defeat the sandbox by using a common hook circumvention technique which Formbook’s advertisement called the Lagos Island method. This technique is based on manually mapping a copy of NTDLL, and it evades API hooking based monitoring without the need to manually look for hooked functions. Pascal then shows how packers such as Guloader first try to detect sandboxes and then defeat them with some novel techniques including one that Pascal says “can be best described as ‘instruction hammering’”.
Context Aware Techniques
The final section of the webinar is devoted to context-aware techniques. As Ben explains, “with context awareness, the malware author is not actually trying to detect or defeat the sandbox itself but rather ensuring that the malware is only going to run under specific circumstances or in a certain context.”
One of the ways that this check is performed is through user interaction: “Probably the most common way we see this outside of malware is via a CAPTCHA check. But this is where malware can use features like this against us… there’s a lot of different ways that malware can perform these types of checks before executing and we’ve even seen cases where malware is looking for jittery mouse movements that would resemble how a human would do it versus how a machine would do it.”
Ben points to some other context-awareness techniques such as looking at different environmental queries, for instance checking things like localization settings such as time zones or language settings. To this point, Ben emphasizes the importance of ensuring sandboxes are as realistic to the environment that you’re running in. Tamas then walks us through another real-world example of these context-aware capabilities using the example of Ursnif Dreambot panel and shows how it uses context to determine whether or not malware is running in a sandbox.
To learn more about these evasion techniques view the full webcast: “Defense Against the Dark Arts: Dissecting Sandbox Evasion Techniques”
Additional Resources
Formbook Analysis – SANS Webcast Recap: Infection to Remediation – Exploring the InfoStealer Kill Chain
Threat Bulletin: Dissecting GuLoader’s Evasion Techniques
Whitepaper: Defeating Evasive Malware
