The process of detecting sandbox artifacts is an evasion technique employed by certain malware families. This evasion technique involves an attempt by malware to determine the presence of a sandbox by searching for identifiable artifacts, such as common VM vendor names on files, monitoring hooks, emulation gaps, or abnormal system compositions that would indicate the existence of an analysis environment. Sandbox environments are generally employed expressly for malware analysis. As such, their system compositions tend to differ from that of most normal workstations. In most cases, malware that detects the presence of a sandbox environment will either terminate or exhibit benign behavior to avoid detection.
Malware attempting to detect sandbox artifacts will do so in a variety of ways. Most rudimentarily, malware may attempt to identify vendor-specific artifacts, searching for virtual machine product names within files, file system structures, drivers, processes, usernames, or Windows IDs. This may also involve malware attempting to detect the presence of mechanisms that certain virtual machine products use to restore a sandbox environment to a previous clean version once it has been infected.
Armed with vendor-specific knowledge, malware that attempts to detect sandbox artifacts may do so by identifying the presence of certain sandbox technologies to determine the presence of an artificial environment. One such example would be the presence of monitoring hooks. Malware can detect these hooks by investigating particular instructions or by verifying the integrity of the system.
In emulation environments, malware may probe for emulation gaps by invoking obscure CPU instructions unlikely to be included in the emulation. If these calls fail, malware will recognize it is being run within an emulated analysis environment.
Some of the particularities of sandbox environments may include small screen resolutions, lack of any 3D rendering capabilities, only one (virtual) CPU, small storage space, small physical memory sizes, lack of commonly used software such as mail clients, a suspicious lack of network activity, or a lack of browser cookies or user files. These differences can be analyzed by malware in an attempt to establish the presence of a sandbox environment.
Autonomous Response to critical malware alerts
VMRay + Palo Alto Networks JOINT WEBINAR