Sandbox for malware detection

The problem

Crackers are getting smarter everyday.They are using new and sophisticated ways to encrypt their malware or to make them change their shape and signature with time. This makes it so difficult for signature based antivirus solutions to detect and protect against those types of malware. Furthermore, zero day attacks are becoming more and more popular than ever and IT Security people should respond.


Since we cannot depend on comparing a malware file against a list of signatures in a database, we should think of a way to study the life cycle of the malware when it is in motion (action). Just imagine that you are given a malware file, and you are asked to study its behavior. Usually you will let it run in a controlled environment, and start monitoring what the malware is doing to the registry, O.S, processes, memory, and what network connections it is opening. Sandbox is exactly the same idea.

Sandbox originally is a concept that is used to describe running a program in an isolated and controlled environment for evaluation and testing purposes. Usually Sandboxes are used to test running applications from third party un-trusted vendors. Security people use Sandboxes now for malware investigation and detection.

How does it work

When a user first downloads an executable file, the file gets downloaded to his machine and also a copy of the file is sent to the Sandbox for evaluation. The Sandbox contains couple of virtual machines that simulate the end user’s operating system to the patch level. Since the Sandbox is optimized for this work, it will execute the file faster and start studying its behavior. If it suspects a malware connectivity (Call Back) to the cracker control and command center, then it will block it if it is configured to do so, or just log that incident.


Sandbox malware detection uses behavior-based malware classification patterns, not code-based signature solutions. Patterns cover everything from generic malicious behavior (i.e. creating files, modifying registry keys) to family-specific behavior patterns (i.e. banking Trojans, keyloggers). Malware infects virtual systems inside the Sandbox, create and delete files, replicate, connect to carefully controlled IRC servers and URLs, send emails, set up listening ports, or perform most other functions as they would on real systems. Working at the kernel level, the sandbox emulator exercises the malware, intercepting behavior and converting it into step-by-step forensic intelligence, providing a map of the damage the threat would cause if allowed to run on a real machine, without ever putting actual systems at risk.

Sandbox ISO Images

Usually the Sandbox contains many virtual machines inside it (ISO Images) for different operating systems (typically Windows XP SP3 and others). Each machine simulates one of the possible operating systems inside the corporate network to the service pack level. Some Sandboxes allow you to copy your “Gold image” that you use internally on your machine, which will create extremely similar virtual environment inside the Sandbox and this allows better judgments.

Usually Sandboxes do not contain ISO images for Apple, Android, Linux or other non-Windows legacy devices and it is likely that the Sandbox will not be able to do anything about a malware written to target those operating systems. This is an obvious detection limit for Sandboxes when it comes to malware detection !.


Malware is VM aware

An intelligent malware can detect if it is running inside a virtual machine and not on an actual user workstation by looking at different things (like the VM process or network card MAC addresses), so it will sleep and do nothing as it knows it is being evaluated inside an virtual environment by a security team. Sandbox vendors compete to create an internal environment with undetected visualization platforms so that the malware will be active when get analyzed. Think about it, if the Sandbox has vmware virtual machines inside it, then when it evaluate a malware, the malware is smart enough to know it is in a known virtual environment, and will not do anything, and the sandbox will not detect any thing suspicious allowing the malware to spread inside the network undetected. Most Sandbox security vendors claim that they have their own visualization platforms to simulate the end user O.S environment, but they do not share these details in public, so malware writers cannot get around their product.

Final Thoughts

I believe Sandbox approach to detect malware besides signature based detection is a big step towards better security. Sandboxes can detect malware that signature based cannot detect usually.

Nevertheless, most Sandboxes do not have ISO images for Linux, Apple and other legacy operating systems, so if you are using those a lot, then Sandbox will not be useful here.

The interesting part is that botnets malware type, will usually stay in sleep mode until the bot master activates them. This means that they will definitely bypass Sandbox security.

Further more, crackers are getting smarter now and will wait for the user to do couple of clicks on his machine before activating the malware to bypass Sandbox systems. Interesting right !!

Again, Sandbox is definitely a big step in the right direction that can raise your security level, but it is not completely bullet proof and they are so expensive financially and operationally. Doing simple Risk Assessment in your company would be your way to go when deciding to purchase one of those products as it depends on your business  you are in.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s