Understand how sandboxing works and techniques about how the latest malware evades the sandboxing.

1. Sandboxing
Kamlesh Tukaral
Date : 21/04/2020

2. Who am I?
● Security Enthusiast
● Gamer
● Twitter: @King__2034

3. Sandboxing
● Sandboxing is a method used for malware detection and is
mostly used by all the latest security systems.
● In this method we run the malware in an isolated
environment and analyze its behaviour.

4. Cuckoo Sandbox
● Cuckoo Sandbox is an open source automated malware
analysis system and is capable of analyzing any malicious file
under Windows, macOS, Linux, and Android systems.

5. YARA Rules
● YARA rules are mostly used for malware research and
detection.
● They are a way of identifying malware by creating certain
rules which can find certain string or characteristic in a file.
● YARA was originally developed by Victor Alvarez of
Virustotal.

6. YARA Syntax

8. Sandbox Evading Malware
● Sandbox-evading Malware is the latest and dangerous add
on to the malware family.
● This type of malware is capable of evading the sandboxing
method by identifying the environment it is going to be run
on.
● These malware infections don’t execute their malicious
code until they’re outside of the Sandbox environment.

9. Sandbox Evasion Techniques
● To avoid detection, malware uses special sandbox evasion
techniques that are mainly based on either detecting user
or system interactions or obtaining environmental
awareness.

10. Sandbox Evasion Techniques

11. Sandbox Evasion Techniques
Detecting User Interactions
● Users interact with computer systems in different ways
but there are no human-like interactions in the sandbox
environment. Thus, hackers can teach malware to wait
for a specific user action and exhibit malicious behavior
only afterward.

12. Sandbox Evasion Techniques
Detecting system characteristics
● Sandbox-evading malware can be programmed to find
some features of a real system that aren’t available in a
sandbox or virtual environment.

13. Sandbox Evasion Techniques

14. Sandbox Evasion Techniques
Environmental awareness
● Cybercriminals who develop environment-aware
malware usually know how sandboxing works. Thus,
they can easily program their viruses to detect whether
they’re running in a bare-metal environment.

15. Sandbox Evasion Techniques

16. Sandbox Evasion Techniques
Timing-based techniques
● In some cases, malware evades the sandbox using
timing-based techniques. Sandboxes usually analyze
malware only for a limited period of time, and
timing-based techniques gladly abuse this feature.

17. Sandbox Evasion Techniques

18. Sandbox Evasion Techniques
● Extended sleep : When malware uses calls for extended
sleep, it can successfully leave the sandbox before
execution.
● Logic bomb : In some cases, malware can be
programmed to execute on a particular date and at a
particular time.
● Stalling code : Malware can contain malicious code that
executes useless CPU cycles to delay the actual code
until the sandbox has finished testing.

19. Sandbox Evasion Techniques
Obfuscating internal data
● There are some sandbox evasion techniques that allow
malware to change or encrypt its code and
communications so that the sandbox can’t analyze it.

20. Sandbox Evasion Techniques

21. Sandbox Evasion Techniques
● Fast flux : This technique is based on changing DNS
names and IP addresses and is widely used by botnets
that want to hide phishing and malware delivery
addresses. It allows malware to bypass the blacklist of
malware websites that security solutions create.

22. Sandbox Evasion Techniques
● Data encryption : Some malware, like Trojan Dridex,
can also encrypt API calls so that traditional malware
sandboxes can’t read them. The Andromeda botnet
used several keys to encrypt its communication with
the server.

23. Thank You