Sandboxing, a popular alternative to traditional signature-based malware defense particularly potent in zero-day attacks, is not a foolproof defense, according to one security researcher.
Kruegel’s warning comes at a time when sandboxing is gaining wide popularity as a way to detect and deter zero-day attacks aimed at stealing corporate data.
Malware developers are already aware of sandboxing techniques and are able to device ways of eluding sandbox detection, he said.
Kruegel outlined several ways malware authors are able to circumvent sandboxes:
Exploiting blind spots –Sandboxes typically insert so-called hooks into a program in order to get callbacks or notifications for function or library calls. Unfortunately, Kruegel said, this method requires the program code to be modified. This modification can be detected by malware or interfere with dynamic code generation. There is a huge blind spot, he said, because the sandbox is not able to see any instruction that the malware executes between calls. This blind spot is what malware makers target and they do this by stalling code.
Stalling code – Stalling code is code that runs between system calls. This technique delays the execution of a malicious code so that a sandbox times out, according to Kruegel. The malware does not sleep but performs some useless computation that gives the appearance of activity and makes the malware analysis system think that everything is normal.
Environmental checks – Some malware authors can also insert zero-day “environmental checks related to the targeted operating system. The environmental checks, according to Kruegel, manipulate the return value. He said it is a very effective evasive move that force many vendors to patch their sandboxes in order to detect the breach.
Kruegel said Lastline is working to address these evasion tactics with its Previct appliance product but acknowledges there is “no 100 per cent security.”
It is well worth it to include sandboxing as part of an overall security system, but companies need to employ other technology and methods to detect malware.