Advanced

Bypassing modern sandbox technologies

Lundsgård, Gustav LU and Nedström, Victor (2016) EITM01 20161
Department of Electrical and Information Technology
Abstract
Malware (malicious software) is becoming an increasing problem, as it continuously grows both in numbers and complexity. Traditional, signature based anti-virus systems are often incapable of detecting new, sophisticated malware, which calls for more advanced tools. So called sandboxes are tools which automate the process of analyzing malware by actually running them in isolated environments and observing their behavior. Although this approach works very well in theory, some malware have recently begun deploying sandbox detection techniques. With the help of these techniques, malware may detect when they are being analyzed and manage to evade the sandbox by hiding their malicious behavior.
The authors of this Master’s Thesis have... (More)
Malware (malicious software) is becoming an increasing problem, as it continuously grows both in numbers and complexity. Traditional, signature based anti-virus systems are often incapable of detecting new, sophisticated malware, which calls for more advanced tools. So called sandboxes are tools which automate the process of analyzing malware by actually running them in isolated environments and observing their behavior. Although this approach works very well in theory, some malware have recently begun deploying sandbox detection techniques. With the help of these techniques, malware may detect when they are being analyzed and manage to evade the sandbox by hiding their malicious behavior.
The authors of this Master’s Thesis have developed and compared different types of sandbox detection techniques on five market leading products. It was shown that an average of roughly 43% of the detection techniques developed were capable of both detecting and bypassing the sand- boxes, and that the best performing sandbox caught as much as 40% more of the techniques than the worst. Patterns of weaknesses were noticed in the sandboxes, affecting primarily the limited hardware and lack of user interaction - both of which are typical sandbox characteristics. Surpris- ingly, the time for which the sandbox vendors had been developing their sandboxing technology seemed to have no positive impact on the result of their product, but rather the other way around. Furthermore, some detection techniques proved very efficient while being trivial to develop. The test results have been communicated to the sandbox vendors, and the authors are of the belief that the sandboxes could be quite significantly improved with these results as a guideline. (Less)
Please use this url to cite or link to this publication:
author
Lundsgård, Gustav LU and Nedström, Victor
supervisor
organization
course
EITM01 20161
year
type
H2 - Master's Degree (Two Years)
subject
report number
LU/LHT-EIT 2016-517
language
English
id
8880576
date added to LUP
2016-08-17 16:10:49
date last changed
2016-08-17 16:10:49
@misc{8880576,
  abstract     = {Malware (malicious software) is becoming an increasing problem, as it continuously grows both in numbers and complexity. Traditional, signature based anti-virus systems are often incapable of detecting new, sophisticated malware, which calls for more advanced tools. So called sandboxes are tools which automate the process of analyzing malware by actually running them in isolated environments and observing their behavior. Although this approach works very well in theory, some malware have recently begun deploying sandbox detection techniques. With the help of these techniques, malware may detect when they are being analyzed and manage to evade the sandbox by hiding their malicious behavior.
The authors of this Master’s Thesis have developed and compared different types of sandbox detection techniques on five market leading products. It was shown that an average of roughly 43% of the detection techniques developed were capable of both detecting and bypassing the sand- boxes, and that the best performing sandbox caught as much as 40% more of the techniques than the worst. Patterns of weaknesses were noticed in the sandboxes, affecting primarily the limited hardware and lack of user interaction - both of which are typical sandbox characteristics. Surpris- ingly, the time for which the sandbox vendors had been developing their sandboxing technology seemed to have no positive impact on the result of their product, but rather the other way around. Furthermore, some detection techniques proved very efficient while being trivial to develop. The test results have been communicated to the sandbox vendors, and the authors are of the belief that the sandboxes could be quite significantly improved with these results as a guideline.},
  author       = {Lundsgård, Gustav and Nedström, Victor},
  language     = {eng},
  note         = {Student Paper},
  title        = {Bypassing modern sandbox technologies},
  year         = {2016},
}