Bypassing modern sandbox technologies

Sammanfattning: Malware (malicious software) is becoming an increasing problem, as it continuously grows both in numbers and complexity. Traditional, signature based anti-virus systems are often incapable of detecting new, sophisticated malware, which calls for more advanced tools. So called sandboxes are tools which automate the process of analyzing malware by actually running them in isolated environments and observing their behavior. Although this approach works very well in theory, some malware have recently begun deploying sandbox detection techniques. With the help of these techniques, malware may detect when they are being analyzed and manage to evade the sandbox by hiding their malicious behavior. The authors of this Master’s Thesis have developed and compared different types of sandbox detection techniques on five market leading products. It was shown that an average of roughly 43% of the detection techniques developed were capable of both detecting and bypassing the sand- boxes, and that the best performing sandbox caught as much as 40% more of the techniques than the worst. Patterns of weaknesses were noticed in the sandboxes, affecting primarily the limited hardware and lack of user interaction - both of which are typical sandbox characteristics. Surpris- ingly, the time for which the sandbox vendors had been developing their sandboxing technology seemed to have no positive impact on the result of their product, but rather the other way around. Furthermore, some detection techniques proved very efficient while being trivial to develop. The test results have been communicated to the sandbox vendors, and the authors are of the belief that the sandboxes could be quite significantly improved with these results as a guideline.