Sandbox evasion techniques

I tried to explain so many times to customers the relative lack of interest of Malware SandBox to
detect Malware from Organized Crime and APT.

True, at the beginning, Sandboxes were very neat tools to detect malware and their nefarious
behavior, but the threat actors immediately found ways to evade detection. Today the evasion
techniques are complex and diverse, rendering the efficiency of SandBox very debatable.

My forensic/active security colleagues identified no less than 20 techniques used by malware to

evade sandbox detection and they can be categorized in 4 big families:

1. Time-based evasion
2. System information
3. Lack of user interaction
4. Network based detection

Time-based evasion is the simplest and one of the most effective techniques. The Sandbox solutions
need to analyze millions of files everyday in a mid-size company. They have a short time window to
wait for the suspected malware to do anything suspicious. So the malware wait for a very long time
or wait for a system event like user log-off before doing anything, hence avoiding detection. They
can wait days even weeks. They also detect the system uptime, if the system uptime is in minutes,
they kill themselves.

There is a treasure trove of System Info that reveal the presence of a virtual machine like low
numbers of CPU Core, hardware component IDs typical of VM, no CPU temperature, MAC address
from VM/sandbox vendors, VM drivers, registry keys associated to VM, etc… In summary the
malware developers are spoilt for choice to detect VM associated System Info.

Another interesting property of VMs are the lack of user interactions and user behavior. Typical user
system will have hundreds of documents in the default directories such Documents, Download,
Desktop, Pictures, etc… VMs don’t. Typical user systems will have some software installed like Office,
Adode, Zoom, etc.. VMs don’t. The malware can seek user interaction by displaying fake dialog boxes
to detect the presence of an actual user.

Finally, VMs lack the connectivity and open ports of a regular system. The malware can check if there
are other devices on the network looking like user systems, if the sandbox software associated ports
are open or not, or if regular ports are open or not.

There is a constant battle between the detection and the evasion techniques, but the pro malware
authors seem always a couple steps ahead. It is interesting to see that FireEye, the original leader of
the sandbox market, is not doing so good for the last 2 years.

One may say I completely ignore the Emulator category of Sandbox, but it should be the subject of a
different but terribly similar article.