Four New Techniques Uncovered for Malware to Evade Traditional, File-Based Sandboxing Technologies
Milpitas, CA - Apr 8, 2014 – FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today’s advanced cyber attacks, today announced the release of “Hot Knives Through Butter: Evading File-based Sandboxes.” Drawing from data uncovered in observing thousands of advanced attacks that avoided detection by signature-based security solutions and file-based sandboxing solutions, “Hot Knives” provides a look at how important contextual analysis within a hardened hypervisor has become in fighting advanced attacks.
“Stealth and evasion represent the basic tools of the trade for advanced attackers, and security professionals need to stay on top of the latest techniques to avoid becoming the next headline,” said Jon Oltsik, senior principal analyst, Enterprise Strategy Group. “Today, sandboxes are becoming a standard in security — but not all sandboxes are built alike. Knowing how sandboxes work and the evasion techniques deployed against them can help avoid a serious breach."
Originally released in August 2013, “Hot Knives” detailed 11 evasion techniques used by advanced persistent threats (APTs) and advanced malware to bypass configuration-specific, environment-specific, VMware-specific, and human interaction-based sandbox testing techniques. The four new techniques detailed in this latest version of the report include:
Use of malicious downloaders that take advantage of the fact that most file-based sandboxes are not configured with an internet connection, meaning their failed HTTP requests are detected, but not the malicious sites they point to.
Execution name of the analyzed file, whereby attackers have their code check for the predefined name sandboxes assign to files during execution and signal their malware to remain dormant to avoid detection.
Volume information detection whereby malware identifies the serial numbers of hard drives that are copied from one sandbox to the other and aborts the operation if the serial numbers match known sandboxes.
Execution after rebooting, whereby malware remains dormant until after a reboot to take advantage of the fact that sandboxes do not normally reboot.
“Today’s attackers have built techniques to bypass the use of virtualization and sandboxing in the enterprise for far longer than traditional security solutions have been designed to think about them,” said Abhishek Singh, senior staff research scientist engineer, FireEye. “Approaching security from the standpoint of monitoring activities without context around them is akin to navigating without a compass. With these latest techniques, it is more important than ever to look beyond the surface of what file-based sandboxing technologies can do.”
FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 1,900 customers across more than 60 countries, including over 130 of the Fortune 500.