(IN)Secure Magazine: Hyper-Evasive Threats are Killing Sandboxing

...polymorphic malware to hyper-evasive malware. The article can be accessed here.

In a survey of IT managers published in July, over 50% of respondents said they had implemented appliance sandboxing at their companies, underscoring how popular the measure has become. Given that pervasiveness, it is no surprise that criminal cybergangs have responded by investing in the development of techniques to evade detection by sandboxes. The article walks through the limitations of traditional first-generation sandboxes which are being exploited by the malware code writers, which include:

• The finite memory and processing power available in an appliance, which limits the total possible analysis load and depth of analysis performed
• The reliance on virtualized environments, the presence of which can be detected by malware
• The lack of diversity in the tests employed, limited to those of the specific sandbox vendor
• The fact that any specific sandbox is best at one kind of analysis, e.g., operating system or registry or network behavior analysis -- it's hard to be great or even good at everything!

At the end, Stefnisson lists all the techniques employed by one specific sample of the Cerberus ransomware to evade detection, listing 29 check functions performed by the malware.

To get way up the detection curve with respect to these evasive tactics, Cyren recently launched a next-generation cloud sandboxing array as part of its lineup of web security services for businesses, which fully applies the elastic processing power of the cloud to the problem.