Security Sandboxes Challenged by Evolving Malware

Malware is working hard to undermine and punish those who employ security sandboxes. Meanwhile, security innovators are working hard to stay one step ahead.sandbox

Security sandboxes are a crucial tool in the battle against the constantly evolving efforts of malware writers. Suspicious files can be placed in a digital sandbox, in which security can watch, look, and listen to determine what the code does, whom it communicates with, and if it plays nice as expected. This helps determine if a file is benign or malicious. The sandbox itself is a façade, designed to look and feel like a vulnerable system, yet in reality it is an isolated laboratory that is reinforced to allow malicious files to execute but not cause any real damage. It is all under the control and watchful eye of the security tool set. After analysis is complete, the entire digital sandbox is deleted, with any potentially harmful activities and changes disappearing with it.

Many security vendors incorporate this technology to conduct analysis of downloads, executables, and even software updates to prosecute the malicious or allow good files to flow. Similar tools are employed by forensic experts to dissect malware and unravel the inner workings. The stratagem has proven worthwhile at confidently detecting dangerous code. So much so that malware writers began embedding features into their software to detect when they have been put in a sandbox. In order to remain elusive, upon detection the code either goes silent, temporarily acts innocently, or takes the preemptive measure of deleting itself, in hopes of avoiding being scrutinized by security researchers.

Security has responded by making sandboxes stealthier to avoiding detection and allow malware to show its true nature, in a safe environment. This hide-and-seek game has escalated, with new features being employed on both sides to remain undetected while attempting to discover their counterpart.

In most instances it is passive contest. That is, until Rombertik. Given the adversarial nature of the industry, nothing stays secure forever, even security tools. Rombertik takes a different approach and goes on the offensive to cause harm, incurring a discouraging cost on those employing security tools.


Our security colleagues at Cisco have done a great job highlighting the antisandbox advances of the Rombertik malware in the Cisco 2015 Midyear Security Report.  They show how the creators of Rombertik have taken a divergent path from their more docile predecessors. Instead of being passive and self-deleting or remaining quiet, it lashes out at the very systems attempting to analyze it. Rombertik contains a number of mechanisms to undermine, overflow, and detect sandboxes. Once Rombertik believes it is under the microscope, it attacks. The malware attempts to overwrite the machine’s master boot record or destroy all files in the user’s home folder, with the goal of making the system inoperable after rebooting.

The Cisco report states “Rombertik may be a harbinger of what’s to come in the malware world, because malware authors are quick to adopt their colleagues’ successful tactics.” It is an insightful report and I strongly recommend reading it.

The idea of a safe area to test suspicious code is not new. The original sandbox was simply an extra PC that could be isolated and completely wiped after the analysis. But that was not a very scalable or terribly efficient practice. The revolution really came when software could create virtual sandboxes as needed. Such environments are quick to create, easy to configure, and simple to delete and start anew. Dozens or even hundreds could be created and be running simultaneously, each testing for malware. But software has some inherent security limitations. Malware can sometimes break out of “jail” and escape the protected sandbox to cause real harm. Plus, the most sophisticated attackers can actually turn the tables to get under the virtual environment—running the security environment in a sandbox managed by the attacker!

This maneuvering gets more complex over time as both sides escalate their tactics through innovation. How much longer can software-created sandboxes remain one step ahead? Nobody is sure.

What we need is a more robust means of building improved sandboxes. Beneath software resides the hardware, which has the advantage of being the lowest part of the stack. You cannot get “under” the hardware and it is much more difficult to compromise than operating systems, applications, and data, which run above. Hardware advances may revolutionize the game with better sandboxes that are more difficult to detect and undermine. I think time will tell, but the move to hardware seems to be where the battle is heading. What cannot be foretold is if changes in hardware will be the winning salvo or just a new battlefield for the attackers and defenders in the war of cybersecurity.


Twitter: @Matt_Rosenquist
Intel Peer Network: My Previous Posts

This post was originally published on August 11, 2015, on the Intel communities site. 

The post Security Sandboxes Challenged by Evolving Malware appeared first on McAfee.