Virtualization-based sandbox malware
Introduction
Sandboxing is well known for its ability to execute code safely without potential malicious effects afflicting a system. They are normally used when testing out how programs and applications will react in an environment and any other time that you want to test the trustworthiness of code. But many may not know that there are two different types of sandboxing, and they are not created equal.
This article will detail virtualization-based malware and explore: the differences between virtualized and emulated malware, virtualization-based sandbox malware generally and the three different techniques that malware use to evade virtualization-based malware. We’ll give a rundown of some of the different malware and malware families that take advantage of virtualization-based sandbox vulnerabilities.
Virtualization-based versus emulated sandboxing
Sandboxes are typically used to detect malware and the relative safety of code. However, advanced malware and malware families can evade both mainline consumers and next-generation sandboxes. This applies to virtualization-based sandboxes, or sandboxes running on virtual machines.
Emulated sandboxes are where the entire system is emulated — from memory to CPU to I/O devices. It offers the greatest stealth visibility of what occurs within programs and applications. Virtualization-based sandboxing offers less stealth (as malware can easily detect the hypervisor and then hide their malicious actions) and offers less visibility within programs and applications. This is a major shortcoming for virtualization-based sandboxing.
Virtualization-based sandbox malware
Advanced malware can detect whether it is executed or running within a sandbox. When it detects a sandbox, it will simply avoid taking malicious action and will successfully evade detection. The sandbox will then erroneously label the file as benign and will be allowed onto the network.
Without detecting that it is in a sandbox, the malware will just proceed as normally and perform malicious actions. The key here is to (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/l_tSGuZV0lU/
