/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsThe evolution of malware in the past five years has caused many organizations to realize that their layered security approach is no longer effective. Running multi-engine signature matching solutions, such as antivirus (AV), is no longer sufficient to detect the latest threats and will ultimately leave your data vulnerable. Consequently, the adoption of sandbox malware analysis components has grown in popularity as organizations look to counter targeted attacks, which have been developed and tested against off-the-shelf AV security tools.
THE PROGRESSION OF CYBERCRIME TECHNIQUES
Cybercriminals have long realized, that by adding sandbox instance identification capabilities into their code, their malware could continue to evade detection. At first, something as simple as adding a time delay prior to executing payload would bypass sandboxes. Security vendors identified this code in samples (ie, NAP Trojan) and refocused their efforts to detect anomalies in code with time-based execution parameters.
That said the latest code samples are worrisome due to evidence revealing that advanced malware now includes code to detect the existence of common apps, services, drivers, MAC addresses, BIOS names and even low-level instructions familiar with sandbox environments. Cybercriminals attempt to differentiate between user and automated sandbox inputs to determine if the payload can be executed without detection. Lastly, attackers conduct their recon, identify the sandbox solution and then look to keep the sandbox resources busy with non-malicious code while simultaneously dropping their malware.
This sounds complex but sample code has been found on sites like Pastebin.com, where users can simply copy and paste it into existing malicious code in an effort to evade sandbox detection. Due to their covert design characteristics, these types of advanced attacks belong to the stealth or armoured malware category.
SO WHERE DO WE GO FROM HERE?
Many security vendors are now stating that sandboxing should be viewed as a valuable security component, not a comprehensive solution. Solidifying your sandbox environment is quickly becoming a priority alongside patching and ensuring signatures are current. Consider this as a part of your overall security strategy and you will become more effective.
Available computing resources have historically provided a challenge for on-premise sandboxing implementations. Do you plan for the average, or do you prepare for the worse case spike in file downloads and email attachments? A cloud-based sandbox environment offers dynamic scalability without loss of performance, while also enabling the vendor more proactive maintenance options.