Hot Knives Through Butter: Evading File-based Sandboxes
With organizations facing a deluge of cyberattacks, virtual-machine sandboxing has become a popular tool for quickly examining legions of files for suspicious activity. These sandboxes provide isolated, virtual environments that monitor the actual behavior of files as they execute. In theory, this setup enables security professionals to spot malicious code that evades traditional signature-based defenses. But sandboxes are only as good as the analysis that surrounds them.
This report details the following categories of sandbox-evasion techniques:
- Human interaction—mouse clicks and dialog boxes
- Configuration-specific—sleep calls, time triggers, process hiding, malicious downloaders, execution name of the analyzed files, volume information, and execution after reboot
- Environment-specific—version, embedded iframes (in flash, swf, jpg files), embedded executable in an image file, and DLL loaders
- VMware-specific—system-service lists, unique files, and the VMX Port
Download this report for an overview of techniques used to evade off-the-shelf file-based sandboxes.