Problem solve Get help with specific problems with your technologies, process and projects.

The anti-sandbox malware that threatens sandbox security

An anti-sandboxing malware variant is defeating on-premises sandbox protection. Is sandbox security a thing of the past? Expert Nick Lewis discusses.

A new variety of malware has defeated on-premises sandboxes. What is your take on the significance of this threat?...

Does it make sandboxing less valuable?

Ever since the introduction of sandboxes, there has been a cat-and-mouse game between attackers and sandbox makers. For their malware to be successful beyond just a proof-of-concept malware or exploit, it is important that malware authors be able to understand sandboxes and how to escape them or at least how to achieve their end regardless of the sandbox. The harder it is for antimalware researchers to create automated detection and remediation, the longer malware can run in the wild. This goes for all parts of malware analysis for sandboxes and network communication aspects of malware.

Seculert wrote a blog post about a recent version of the Sazoora malware, aptly named Sazoora.B, which has been able to effectively defeat sandboxes. The original Sazoora is a browser-based malware that steals data by injecting fraudulent code into webpages. Sazoora.B, on the other hand, has evolved to make malware analysis more difficult by delaying its execution to slow the automated analysis performed.

Many times, systems will delay delivering an email or connecting to a webpage until a file has successfully passed the sandbox. By delaying execution by, say, 15 minutes, the target's malware analysis potentially could time out and the malware could pass onto the local system. The reason for this might be a configurable option that drops emails or connections if something hasn't executed in a specific time period. This doesn't depend on a local or remote sandbox; rather, it depends on how extensive the analysis is and the security policy the organization has configured in the system about how long to wait until passing a file to an endpoint. Using an outsourced or cloud sandbox may provide more dedicated resources to the analysis of the malware and boost enterprise protection.

Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)

This was last published in June 2014

Dig Deeper on Malware, virus, Trojan and spyware protection and removal