Defeating Sandbox Evasion: How to Increase Successful Emulation Rate in your Virtualized Environment

Presented at VB2016, Oct. 6, 2016, 11 a.m. (30 minutes)

In the real world, special virtualized environments, called sandboxes, are used to analyse malware behaviour and prevent it from spreading and damaging real users' personal data, important corporate assets, etc. In our research, we focus on how to fight against the detection of sandboxes by malware and demonstrate some of the different techniques used by malware authors to detect virtual environments that are disregarded by leading vendors. We also present some solutions to counter these detection techniques. We also discuss *Cuckoo Sandbox*, a leading open-source automatic malware analysis system that is widely used in the world of security. *Cuckoo Sandbox* is easy to deploy and contains features which perform many key aspects of malware analysis, such as collecting information about the malware behaviour, capturing network traffic, processing reports, and more. Nearly all the largest players on the market, including *VirusTotal* and *Malwr*, utilize *Cuckoo Sandbox* as a platform to perform automatic behavioural analysis. *Cuckoo Sandbox* can also be used as a backend for anti-malware-related projects. We describe *Cuckoo Sandbox* bugs, which allow malware to detect a sandboxed environment, as well as possible solutions for these issues. Malware authors can use evasion techniques against a virtual environment simply by running some specially crafted code. If a sandbox is detected, then the malware may choose, for example, one of the following behaviours: 1. Terminate the execution, so no information will be provided. 2. Perform some non-malicious activity, so false information will be provided. 3. Perform some activities by accessing, for example, fake domains or IPs, to generate artifacts which are not relevant. If false information is received and used in products, the endpoint users are not protected against threats. Proposed solutions will lead to increased successful emulation rate and delivery of more relevant information as well as contributing to the overall improvement of virtual environments, especially ones that use *Cuckoo Sandbox*.

Presenters:

• Aliaksandr Chailytko - Check Point Software Technologies
  Aliaksandr Chailytko Started self-education in the field of hacking and reverse engineering at the age of 14, resulting in more than 10 years of experience. Very passionate about solving most prevalent malware problems of today as well as dealing with big data. Highly experienced in government and state sponsored malware research and reverse engineering operations.
• Stanislav Skuratovich - Check Point Software Technologies
  Stanislav Skuratovich Stanislav Skuratovich was born in Minsk, Belarus in 1992. During his studies he was interested in how things work from the inside. Such interest opened up the gates to the world of reverse engineering. He started to work as a Linux embedded software engineer, but a year later, at the beginning of 2015, he joined Check Point Software Technologies. Now, he works there as a malware researcher. He really likes to travel and visit new places. His hobbies include outdoor activities, CTFs (especially pwning) and he really likes to learn new stuff.

Links:

• https://www.virusbulletin.com/conference/vb2016/abstracts/defeating-sandbox-evasion-how-increase-successful-emulation-rate-your-virtualized-environment
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2016/Skuratovich_Chailytko-vb-2016-defating-sandbox-evasion.pdf
• https://www.virusbulletin.com/virusbulletin/2016/12/vb2016-paper-defeating-sandbox-evasion-how-increase-successful-emulation-rate-your-virtual-environment

Similar Presentations:

• Black Hat USA 2013 / Mo' Malware, Mo' Problems - Cuckoo Sandbox to the Rescue
• ShmooCon XIII (2017) / Defeating Sandbox Evasion: How to Increase Successful Emulation Rate in Your Virtualized Environment
• REcon 2013 / Haow do I sandbox?!?!: Cuckoo Sandbox Internals