A new variety of malware has defeated on-premises sandboxes. What is your take on the significance of this threat?...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Does it make sandboxing less valuable?
Ever since the introduction of sandboxes, there has been a cat-and-mouse game between attackers and sandbox makers. For their malware to be successful beyond just a proof-of-concept malware or exploit, it is important that malware authors be able to understand sandboxes and how to escape them or at least how to achieve their end regardless of the sandbox. The harder it is for antimalware researchers to create automated detection and remediation, the longer malware can run in the wild. This goes for all parts of malware analysis for sandboxes and network communication aspects of malware.
Seculert wrote a blog post about a recent version of the Sazoora malware, aptly named Sazoora.B, which has been able to effectively defeat sandboxes. The original Sazoora is a browser-based malware that steals data by injecting fraudulent code into webpages. Sazoora.B, on the other hand, has evolved to make malware analysis more difficult by delaying its execution to slow the automated analysis performed.
Many times, systems will delay delivering an email or connecting to a webpage until a file has successfully passed the sandbox. By delaying execution by, say, 15 minutes, the target's malware analysis potentially could time out and the malware could pass onto the local system. The reason for this might be a configurable option that drops emails or connections if something hasn't executed in a specific time period. This doesn't depend on a local or remote sandbox; rather, it depends on how extensive the analysis is and the security policy the organization has configured in the system about how long to wait until passing a file to an endpoint. Using an outsourced or cloud sandbox may provide more dedicated resources to the analysis of the malware and boost enterprise protection.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Locky ransomware has borrowed features from Dridex malware, which focused on attacking banks. Expert Nick Lewis explains Locky's techniques and how ...continue reading
The Mazar malware can wipe an entire Android device once it has been installed. Expert Nick Lewis explains how this malware works, and how attacks ...continue reading
MouseJack, a wireless mouse and keyboard security flaw, allows attackers to type malicious commands. Expert Nick Lewis explains how enterprises can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.