The term Sandbox Detection refers to a variety of evasion techniques that malware uses to determine whether or not it is being identified and executed within a sandbox. Sandbox detection represents one of the three primary methods used by malware authors in their attempt to identify and defeat sandbox environments, the other two being the exploitation of weaknesses in the architecture of a sandbox and the utilization of context-aware malware.
Malware using the sandbox detection evasion method will attempt to determine the presence of a sandbox environment by analyzing differences between a sandbox environment and that of a potential victim’s real system. These attempts can be broadly divided into several categories: (1) detecting virtualization or the presence of a hypervisor, (2) detecting sandbox artifacts, (3) detecting an artificial environment, and (4) timing-based detection.
Detecting virtualization or the presence of a hypervisor is the oldest and most rudimentary technique that malware employs to detect the presence of a sandbox. This technique involves finding technical artifacts that virtual machine hypervisors are prone to leaving in older systems. With more modern hardware virtualization support, there are far fewer (and sometimes no) virtualization artifacts to be found. Consequently, VM environments are now rarely used by malware analysts in the same way, making this method much less relevant today.
Malware attempting to detect sandbox artifacts will search for abnormal or telling aspects of a system that would be unusual in a real system. These aspects can include the presence of a known VM vendor or product name anywhere within system files, the presence of monitoring hooks, or, in the case of emulations, exploitable holes in the emulated environment itself.
Malware that attempts to detect the presence of artificial environments will typically do so by examining the system specifications, and identifying unusual compositions that might indicate the presence of a sandbox. These unusual specifications might include a small screen resolution, the lack of 3D rendering capabilities, or even a suspicious lack of network activity.
Malware that attempts to use a timing-based detection method will take advantage of the timing penalty that results from monitoring the behavior of an application. In identifying resultant time discrepancies, malware can identify the presence of a sandbox.