Analysts planning to take apart a piece of malware to get a look at its inner workings have any number of techniques...
at their disposal. But these tactics are well-known in the hacker community as well, and they have become less effective over time as attackers have learned to evade them.
"None of the existing sandboxes are sophisticated enough to circumvent these techniques. That's exactly why I want to talk about it publicly," Hoffman said. "If I figured this out, you better believe other people have. The fact that it's not public means they just haven't told anyone."
"Some malware could have deliberate syntax errors that force the error handler to run and clean things up," Hoffman said. "If that doesn't run, the malware knows it's in a sandbox."
Hoffman said that at least one of the techniques he'll be discussing at Black Hat has been used in the wild. And while he said none of the techniques are a giant technological leap forward, Hoffman said they're all perfectly capable of defeating the current state of the art in sandboxing and analysis.
"These were really just the next logical step forward," Hoffman said. "But they can get around pretty much every sandbox that exists."