Vol. 1 No. 1 (2015): Proceedings of Botconf 2015
Conference short papers

Malware Analysis Sandbox Testing Methodology

Zoltan Balazs
MRG Effitas

Published 2016-01-19

How to Cite

Balazs, Z. (2016). Malware Analysis Sandbox Testing Methodology. The Journal on Cybercrime and Digital Investigations, 1(1), 49-53. https://doi.org/10.18464/cybin.v1i1.3

Download Citation

Abstract

Manual processing of malware samples became impossible years ago. Sandboxes are used to automate the analysis of malware samples to gather information about the dynamic behaviour of the malware, both at AV companies and at enterprises. Some malware samples use known techniques to detect when it runs in a sandbox, but most of these sandbox detection techniques can be easily detected and thus flagged as malicious. I invented new approaches to detect these sandboxes. I developed a tool, which can collect a lot of interesting information from these sandboxes to create statistics how the current technologies work. After analysing these results I will demonstrate tricks to detect sandboxes. These tricks can’t be easily flagged as malicious. Some sandboxes don’t not interact with the Internet in order to block data extraction, but with some DNS-fu the information can be extracted from these appliances as well.

References

  1. N. Rin, EP_XOFF, Virtual Machines Detection Enhanced, 2013, https://github.com/hfiref0x/VMDE
  2. Michael Boman, Making Virtualbox nearly undetectable, 2014 http://blog.michaelboman.org/2014/01/making-virtualbox-nearly-undetectable.html
  3. William Metcalf, Cuckoo building scripts, 2015, https://github.com/wmetcalf/buildcuckoo-trusty
  4. Jurriaan Bremer, "VMCloak, a tool for automatically creating and configuring Virtual Machines for Cuckoo Sandbox", 2015, http://jbremer.org/vmcloak2/
  5. VirtualBox Anti-AntiVM, 2014, http://www.kernelmode.info/forum/viewtopic.php?f=11&t=1911
  6. Peter Kleissner, AVTracker, http://avtracker.info/
  7. SpiderLabs Research, Magnitude Exploit Kit Backend Infrastructure Insight - Part II, 2014, https://www.trustwave.com/Resources/SpiderLabs-Blog/Magnitude-Exploit-Kit-Backend-Infrastructure-Insight---Part-II/
  8. Christian Amman, Hyperion: Implementation of a PE-Crypter, Nullsecurity, 2012, https://github.com/nullsecuritynet/papers/raw/master/nullsec-pe-crypter/nullsec-pe-crypter.pdf
  9. James Wyke, Duping the machine - malware strategies, post sandbox detection, 2015, https://www.virusbtn.com/virusbulletin/archive/2015/01/vb201501-duping
  10. Ben Baker, Alex Chiu, Threat Spotlight: Rombertik – Gazing Past the Smoke, Mirrors, and Trapdoors, 2015, http://blogs.cisco.com/security/talos/rombertik
  11. Kaspersky Labs' Global Research & Analysis Team, Animals in the APT Farm, 2015, https://securelist.com/blog/research/69114/animals-in-the-apt-farm/
  12. Joe Giron, Bypassing FireEye, ToorCon 15, https://www.youtube.com/watch?v=wynvicPjRDk
  13. Th4nat0s, No_Sandboxes, https://github.com/Th4nat0s/No_Sandboxes
  14. hfiref0x, VBoxHardenedLoader, https://github.com/hfiref0x/VBoxHardenedLoader