Malware Avoiding Sandboxing

Started by deanwebb, May 01, 2015, 10:00:50 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

deanwebb

May 01, 2015, 10:00:50 AM
https://threatpost.com/dyre-banking-trojan-jumps-out-of-sandbox/112533

Watch out for more stuff like this in the future. And by "watch out", I mean implement more bandwidth-throttling security solutions on the internal network.

"We need to have 10G throughput to and from the data center!"
"Sure, I'll make sure the hackers have 10G throughput to and from the data center as they rob us blind. I'll just turn off the firewall and IPS. You got it."
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

#1
May 01, 2015, 11:38:57 AM
That's pretty neat actually, checking for the number of cores. Wonder if Palo Alto's Wildfire sandboxes also run on one core. I suppose they can easily fix this by using multicore sandboxes

AnthonyC

#2
May 04, 2015, 11:55:10 AM
Wildfire runs on the cloud (yes there is a dedicated hardware appliance you can buy but would cost more $).
"It can also be argued that DNA is nothing more than a program designed to preserve itself. Life has become more complex in the overwhelming sea of information. And life, when organized into species, relies upon genes to be its memory system."

Fred

#3
May 22, 2015, 10:25:04 PM
Sandboxes are pretty clearly an arms race, as hackers learn to detect them and sandbox providers learn to countermeasure the detection.

Note that in this case, they don't actually have to be multicore systems, but they simply need to claim to be.

Similar to the time-bomb stuff they were doing.  Sandboxes came along, then malware started sleeping for x minutes/hours before detonating, then sandboxes started accelerating time, and then malware started doing nontrivial calculations to pass the time instead of sleeping. I'm not sure how the sandboxes are getting around that, but my understanding is that they are.
Print
Go Up Pages1
User actions