Unlike classic anti-virus solutions, a suspicious file in sandboxes is not executed by the user system but in a virtual test system, the "sandbox", in the most realistic environment possible. At the same time, their actions are monitored. The objective: The sandbox should be able to detect previously unknown malware by its behavior. In addition, IT specialists use sandboxes as part of their own analyses of malware.
In order to prevent their malware from being detected, the authors of malware started early on to implement countermeasures that significantly complicate or even prevent analysis - this is known as "sandbox evasion". Usually, the malware first performs various checks to determine whether it is running in a secured sandbox. If such clues are found, it stops the further execution of its malicious code and, as a result, is not recognized.
Scientists at Fraunhofer FKIE now discovered a new form of "sandbox evasion": Here, the malware first carries out a "fake action". While this fake action is logged by the sandbox, the action is changed unnoticed, so that the sandbox logs a benign rather than the malicious action.
In a study supported by the German Armed Forces Cyber Security Center (ZCSBw), Fraunhofer FKIE tested eight sandbox solutions available on the market for the reaction of the new form of "Sandbox Evasion". Independent of the sandbox technique used (user mode, kernel mode, hypervisor or emulation-based), this type of evasion could be performed. Of the eight sandbox solutions tested, four were susceptible, another was partially susceptible. With the other three Sandbox solutions the evasion does not work and the malicious actions were correctly detected and logged by the Sandbox.
The manufacturers of the sandboxes concerned have been informed of this vulnerability in their systems. The results of the study were documented in a report explaining the technical details of the vulnerabilities. At the same time, Fraunhofer FKIE provided a tool for checking and some anonymous