CyberEye

Blog archive
Snake hidden in the sand

Hackers' new trick for slithering through sandboxes

I recently had to have my computer disinfected, which was frustrating. My firewall is up, I keep my antivirus up to date, I’m cautious about opening e-mail and don’t click indiscriminately on links. But something got through.

A new report from Lastline, a security company that focuses on advanced malware, offers some insight into a new technique used by black hat writers to escape detection by having their code do busywork in a security sandbox until it is allowed out.

It should be noted that Lastline has a dog in this fight and is offering a solution to counter this new threat. But the information is still interesting.

A sandbox is a virtual environment with its own guest operating system where intercepted incoming code can be observed. If it acts maliciously or suspiciously, it can be tossed out. Observing behavior of code in a sandbox should detect and block malware regardless of whether the code or the vulnerability it exploits is already known.

The challenge for attackers, then, is to outwit the sandbox. They do that with environmental checking; malware might check for the presence of a virtual machine or it might query well-known registry keys or files that indicate a sandbox. Other malware authors instruct their malware to sleep for a while, waiting for the sandbox to time out.

Security vendors have countered by looking for behavior such as queries for registry keys and by forcing sleeping code to wake up.

The latest trick by malware writers is what Lastline calls stalling code. It delays the execution of a malicious code inside a sandbox and instead performs a computation that appears legitimate. Sort of like an intruder avoiding notice by carrying a clipboard through an office. Once the sandbox has timed out, the evasive malware is free to execute.

This is not the ultimate malware; evasive techniques can be countered by better sandboxes. Also, these techniques are no good if the vulnerabilities being exploited have been patched or if the signature of the code is known. Although signature-based detection has been shown to be an inadequate defense by itself, it still works well when it works.  (We’ll look later at why it doesn’t always work.)

But it is a reminder that what the mind of one man can achieve, another can overcome. No attack and no defense is perfect, and the battle goes on.

Posted by William Jackson on Feb 22, 2013 at 9:39 AM


Reader Comments

Mon, Feb 25, 2013

Using modern devices like Chromebooks designed to combat this type of attack by using verified boot, not allowing persistent malware to exist or executables to run, your device boots in pristine condition. You do not encounter this issue.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities