Bypassing modern sandbox technologies

Lundsgård, Gustav; Nedström, Victor

Bypassing modern sandbox technologies

Mark

Lundsgård, Gustav ^LU and Nedström, Victor (2016) EITM01 20161
Department of Electrical and Information Technology

Abstract: Malware (malicious software) is becoming an increasing problem, as it continuously grows both in numbers and complexity. Traditional, signature based anti-virus systems are often incapable of detecting new, sophisticated malware, which calls for more advanced tools. So called sandboxes are tools which automate the process of analyzing malware by actually running them in isolated environments and observing their behavior. Although this approach works very well in theory, some malware have recently begun deploying sandbox detection techniques. With the help of these techniques, malware may detect when they are being analyzed and manage to evade the sandbox by hiding their malicious behavior.
The authors of this Master’s Thesis have... (More); Malware (malicious software) is becoming an increasing problem, as it continuously grows both in numbers and complexity. Traditional, signature based anti-virus systems are often incapable of detecting new, sophisticated malware, which calls for more advanced tools. So called sandboxes are tools which automate the process of analyzing malware by actually running them in isolated environments and observing their behavior. Although this approach works very well in theory, some malware have recently begun deploying sandbox detection techniques. With the help of these techniques, malware may detect when they are being analyzed and manage to evade the sandbox by hiding their malicious behavior.
The authors of this Master’s Thesis have developed and compared different types of sandbox detection techniques on five market leading products. It was shown that an average of roughly 43% of the detection techniques developed were capable of both detecting and bypassing the sand- boxes, and that the best performing sandbox caught as much as 40% more of the techniques than the worst. Patterns of weaknesses were noticed in the sandboxes, affecting primarily the limited hardware and lack of user interaction - both of which are typical sandbox characteristics. Surpris- ingly, the time for which the sandbox vendors had been developing their sandboxing technology seemed to have no positive impact on the result of their product, but rather the other way around. Furthermore, some detection techniques proved very efficient while being trivial to develop. The test results have been communicated to the sandbox vendors, and the authors are of the belief that the sandboxes could be quite significantly improved with these results as a guideline. (Less)

Please use this url to cite or link to this publication: http://lup.lub.lu.se/student-papers/record/8880576

author

Lundsgård, Gustav ^LU and Nedström, Victor

supervisor

Paul Stankovski ^LU

organization

Department of Electrical and Information Technology

course

EITM01 20161

year

2016

type

H2 - Master's Degree (Two Years)

subject

Technology and Engineering

report number

LU/LHT-EIT 2016-517

language

English

id

8880576

date added to LUP

2016-08-17 16:10:49

date last changed

2016-08-17 16:10:49

@misc{8880576,
  abstract     = {{Malware (malicious software) is becoming an increasing problem, as it continuously grows both in numbers and complexity. Traditional, signature based anti-virus systems are often incapable of detecting new, sophisticated malware, which calls for more advanced tools. So called sandboxes are tools which automate the process of analyzing malware by actually running them in isolated environments and observing their behavior. Although this approach works very well in theory, some malware have recently begun deploying sandbox detection techniques. With the help of these techniques, malware may detect when they are being analyzed and manage to evade the sandbox by hiding their malicious behavior.
The authors of this Master’s Thesis have developed and compared different types of sandbox detection techniques on five market leading products. It was shown that an average of roughly 43% of the detection techniques developed were capable of both detecting and bypassing the sand- boxes, and that the best performing sandbox caught as much as 40% more of the techniques than the worst. Patterns of weaknesses were noticed in the sandboxes, affecting primarily the limited hardware and lack of user interaction - both of which are typical sandbox characteristics. Surpris- ingly, the time for which the sandbox vendors had been developing their sandboxing technology seemed to have no positive impact on the result of their product, but rather the other way around. Furthermore, some detection techniques proved very efficient while being trivial to develop. The test results have been communicated to the sandbox vendors, and the authors are of the belief that the sandboxes could be quite significantly improved with these results as a guideline.}},
  author       = {{Lundsgård, Gustav and Nedström, Victor}},
  language     = {{eng}},
  note         = {{Student Paper}},
  title        = {{Bypassing modern sandbox technologies}},
  year         = {{2016}},
}

LUP Student Papers

LUND UNIVERSITY LIBRARIES

Bypassing modern sandbox technologies