A new variety of malware has defeated on-premises sandboxes. What is your take on the significance of this threat?...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Does it make sandboxing less valuable?
Ever since the introduction of sandboxes, there has been a cat-and-mouse game between attackers and sandbox makers. For their malware to be successful beyond just a proof-of-concept malware or exploit, it is important that malware authors be able to understand sandboxes and how to escape them or at least how to achieve their end regardless of the sandbox. The harder it is for antimalware researchers to create automated detection and remediation, the longer malware can run in the wild. This goes for all parts of malware analysis for sandboxes and network communication aspects of malware.
Seculert wrote a blog post about a recent version of the Sazoora malware, aptly named Sazoora.B, which has been able to effectively defeat sandboxes. The original Sazoora is a browser-based malware that steals data by injecting fraudulent code into webpages. Sazoora.B, on the other hand, has evolved to make malware analysis more difficult by delaying its execution to slow the automated analysis performed.
Many times, systems will delay delivering an email or connecting to a webpage until a file has successfully passed the sandbox. By delaying execution by, say, 15 minutes, the target's malware analysis potentially could time out and the malware could pass onto the local system. The reason for this might be a configurable option that drops emails or connections if something hasn't executed in a specific time period. This doesn't depend on a local or remote sandbox; rather, it depends on how extensive the analysis is and the security policy the organization has configured in the system about how long to wait until passing a file to an endpoint. Using an outsourced or cloud sandbox may provide more dedicated resources to the analysis of the malware and boost enterprise protection.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Locky ransomware has, again, changed tactics by moving to using LNK files for distribution. Expert Nick Lewis explains how enterprises can adjust ...continue reading
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.