A new variety of malware has defeated on-premises sandboxes. What is your take on the significance of this threat?...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Does it make sandboxing less valuable?
Ever since the introduction of sandboxes, there has been a cat-and-mouse game between attackers and sandbox makers. For their malware to be successful beyond just a proof-of-concept malware or exploit, it is important that malware authors be able to understand sandboxes and how to escape them or at least how to achieve their end regardless of the sandbox. The harder it is for antimalware researchers to create automated detection and remediation, the longer malware can run in the wild. This goes for all parts of malware analysis for sandboxes and network communication aspects of malware.
Seculert wrote a blog post about a recent version of the Sazoora malware, aptly named Sazoora.B, which has been able to effectively defeat sandboxes. The original Sazoora is a browser-based malware that steals data by injecting fraudulent code into webpages. Sazoora.B, on the other hand, has evolved to make malware analysis more difficult by delaying its execution to slow the automated analysis performed.
Many times, systems will delay delivering an email or connecting to a webpage until a file has successfully passed the sandbox. By delaying execution by, say, 15 minutes, the target's malware analysis potentially could time out and the malware could pass onto the local system. The reason for this might be a configurable option that drops emails or connections if something hasn't executed in a specific time period. This doesn't depend on a local or remote sandbox; rather, it depends on how extensive the analysis is and the security policy the organization has configured in the system about how long to wait until passing a file to an endpoint. Using an outsourced or cloud sandbox may provide more dedicated resources to the analysis of the malware and boost enterprise protection.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
An Apache Struts vulnerability is still being exploited, even though it has already been patched. Expert Nick Lewis explains why the Struts platform ...continue reading
A revamped Poison Ivy RAT campaign has been using new evasion and distribution techniques. Expert Nick Lewis explains the new attack methods that ...continue reading
Fileless malware hidden in server memory led to attacks on many companies worldwide. Expert Nick Lewis explains how these attacks fit in with the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.