O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Sandboxing

Understand how sandboxing works and techniques about how the latest malware evades the sandboxing.

  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Sandboxing

  1. 1. Sandboxing Kamlesh Tukaral Date : 21/04/2020
  2. 2. Who am I? ● Security Enthusiast ● Gamer ● Twitter: @King__2034
  3. 3. Sandboxing ● Sandboxing is a method used for malware detection and is mostly used by all the latest security systems. ● In this method we run the malware in an isolated environment and analyze its behaviour.
  4. 4. Cuckoo Sandbox ● Cuckoo Sandbox is an open source automated malware analysis system and is capable of analyzing any malicious file under Windows, macOS, Linux, and Android systems.
  5. 5. YARA Rules ● YARA rules are mostly used for malware research and detection. ● They are a way of identifying malware by creating certain rules which can find certain string or characteristic in a file. ● YARA was originally developed by Victor Alvarez of Virustotal.
  6. 6. YARA Syntax
  7. 7. Sandbox Evading Malware ● Sandbox-evading Malware is the latest and dangerous add on to the malware family. ● This type of malware is capable of evading the sandboxing method by identifying the environment it is going to be run on. ● These malware infections don’t execute their malicious code until they’re outside of the Sandbox environment.
  8. 8. Sandbox Evasion Techniques ● To avoid detection, malware uses special sandbox evasion techniques that are mainly based on either detecting user or system interactions or obtaining environmental awareness.
  9. 9. Sandbox Evasion Techniques
  10. 10. Sandbox Evasion Techniques Detecting User Interactions ● Users interact with computer systems in different ways but there are no human-like interactions in the sandbox environment. Thus, hackers can teach malware to wait for a specific user action and exhibit malicious behavior only afterward.
  11. 11. Sandbox Evasion Techniques Detecting system characteristics ● Sandbox-evading malware can be programmed to find some features of a real system that aren’t available in a sandbox or virtual environment.
  12. 12. Sandbox Evasion Techniques
  13. 13. Sandbox Evasion Techniques Environmental awareness ● Cybercriminals who develop environment-aware malware usually know how sandboxing works. Thus, they can easily program their viruses to detect whether they’re running in a bare-metal environment.
  14. 14. Sandbox Evasion Techniques
  15. 15. Sandbox Evasion Techniques Timing-based techniques ● In some cases, malware evades the sandbox using timing-based techniques. Sandboxes usually analyze malware only for a limited period of time, and timing-based techniques gladly abuse this feature.
  16. 16. Sandbox Evasion Techniques
  17. 17. Sandbox Evasion Techniques ● Extended sleep : When malware uses calls for extended sleep, it can successfully leave the sandbox before execution. ● Logic bomb : In some cases, malware can be programmed to execute on a particular date and at a particular time. ● Stalling code : Malware can contain malicious code that executes useless CPU cycles to delay the actual code until the sandbox has finished testing.
  18. 18. Sandbox Evasion Techniques Obfuscating internal data ● There are some sandbox evasion techniques that allow malware to change or encrypt its code and communications so that the sandbox can’t analyze it.
  19. 19. Sandbox Evasion Techniques
  20. 20. Sandbox Evasion Techniques ● Fast flux : This technique is based on changing DNS names and IP addresses and is widely used by botnets that want to hide phishing and malware delivery addresses. It allows malware to bypass the blacklist of malware websites that security solutions create.
  21. 21. Sandbox Evasion Techniques ● Data encryption : Some malware, like Trojan Dridex, can also encrypt API calls so that traditional malware sandboxes can’t read them. The Andromeda botnet used several keys to encrypt its communication with the server.
  22. 22. Thank You

    Seja o primeiro a comentar

Understand how sandboxing works and techniques about how the latest malware evades the sandboxing.

Vistos

Vistos totais

79

No Slideshare

0

De incorporações

0

Número de incorporações

1

Ações

Baixados

1

Compartilhados

0

Comentários

0

Curtir

0

×