Over the last decade, malicious software (malware) attacks have become a pervasive problem for Internet users and enterprise network administrators. In most situations, malware is a program or file that is embedded within downloadable content and designed to adversely influence or attack normal operations of an electronic device (e.g. computer, tablet, smartphone, server, router, wearable technology, or other types of products with data processing capability). Examples of different types of malware may include bots, computer viruses, worms, Trojan horses, spyware, adware, or any other programming that operates within an electronic device without permission by the user or a system administrator.
Over the past few years, various types of security appliances have been deployed within an enterprise network in order to detect behaviors that signal the presence of malware. Some of these security appliances conduct dynamic analysis on suspicious content within a sandbox environment in order to determine if malware is present. As a result, some malware is now being coded to evade analysis within a sandbox environment.
Currently, there are various techniques that malware is using to evade sandboxed malware analysis. They can be broadly categorized as:
[1] Environment checking: Malware checks for several environmental facts to identify whether it is being run in a sandbox. In response, the malware may halt its execution to avoid detection upon sandbox detection. This may be accomplished by the malware querying for a CPUID string;[2] User Interaction: Malware will not perform any malicious activity until some user interaction is provided, contrary to capabilities of most sandbox environments.[3] Presence of AV/Detection tool: Malware checks for specific artifacts that indicate an anti-virus or sandboxed detection is in effect (e.g. if certain system APIs are hooked); and[4] Stalling: Malware delays execution for substantial time such that the malicious activity is not performed within run-time of sandbox.
As a result, mechanisms are necessary to detect all types of malware, even malware that is specifically configured to evade detection within a sandbox environment such as a virtual machine (VM) based environment.