From Detecting Threats to Collecting Rich Signature Data — Sandboxes Help Malware Researchers Keep Defense Systems In Sync With An Evolving Threat Landscape.
By Jack Zalesskiy, Technology Writer, ANY.RUN
Over 270,000 new malware variants were detected in the first half of 2022 alone — up 45 percent from the same period last year. These previously unidentified strains — known as zero-day or zero-hour malware — are among the most unpredictable curveballs adversaries can hurl at our security systems. Under the right circumstances, they can even become completely unstoppable.
That’s because of how firewalls, endpoint protection platforms (EPP), and intrusion detection and prevention systems (IDPS) — the tools we use to automatically ward off cyberthreats — separate what they discern as malicious from benign.
These systems are predominantly signature based. Although there are advances to incorporate AI and behavioral-based detection into antivirus software, the technology isn’t completely reliable yet. Consequently, these systems rely on examining files for known hashes, static patterns, or behavioral patterns and comparing them to established signatures in threat databases.
But what if a signature hasn’t been added to a database yet? That’s when malware has a chance to pierce the defenses.
Incidents involving new or modified malware exploiting zero-day vulnerabilities are among the most notorious: Sony pictures breach in 2014, attack on RSA in 2011, Operation Aurora which put 20 high-profile organizations in the line of fire. More recent incidents include an attack on General Bytes and a phishing campaign involving Magniber, a ransomware aimed at Windows users.
This situation creates a paradigm where the defense team’s success hinges on identifying new signatures before a potential infection occurs. In part, this is what fuels the ongoing arms race between adversaries and security specialists — and the surge in new malware variants we saw last year.
Sandbox in a security system
If you imagine endpoint detection systems as alarms that notify you about break-ins, a sandbox is like a lie detector, crime lab, and forensic artist all fused into one. It gives researchers a faster way to analyze malware, collect Indicators of Compromise (IOCs), and add them to various end-point detection products that make up an organization’s protective barrier.
At its core, a sandbox is a specially configured monitoring environment designed to emulate a real operating system. Researchers use it to detonate and observe malware without jeopardizing the host machine. Sandboxes employ a combination of AI, ML, heuristic-based, and behavior-based detection, along with manual fine-tuning and proprietary techniques unique to each vendor, to effectively identify threats where signature-based detection falls short.
There’s been an explosion of sandboxes in recent years, as we wrestle with increasingly sophisticated malware. They vary from virtualized environments and cloud services to on-premises server racks that mimic end-users’ hardware configs.
If you imagine that firewalls are at the very edge of the defensive network, while tools like data loss prevention systems sit close to the organization’s core, sandboxes fit somewhere in the middle.
They come into play when researchers encounter suspicious objects and need to examine them to extract malware configurations. Sandboxes can also assist with malware detection and incident response, but their application in these areas is more situational.
After processing a sample — usually a suspicious file or link — the sandbox assigns its verdict (malicious or not) and displays rich analysis data: strings, like C2 addresses and file hashes. Then it’s up to the analyst to decide whether to dig deeper manually or use the signatures obtained from the analysis output to configure end-point detection programs.
Sandboxing still requires the supervision of a trained security researcher, but it can significantly reduce the time required to obtain results. It can even enable junior, mid-level, or broader-scope security specialists to complete a task that would otherwise need to involve a senior malware researcher.
It is through this continuous cycle of analyzing new threats, extracting signatures, and strengthening endpoint detection that an organization’s security perimeter becomes hardened against emerging threats.
While sandboxes are incredibly helpful in accelerating malware analysis, they are not infallible. To surveil processes for signs of malicious activity, sandboxes deploy monitoring hooks, which leave artifacts that can clue the malware into the fact that it’s being observed. Nowadays, when most malware detects that it’s running within a sandbox, it either halts the execution or performs a benign action instead.
Other anti-evasion techniques involve scanning the execution environment for files containing names of known sandbox vendors, setting an execution timeout, or waiting for user input before the malware triggers.
Some sandboxes counteract anti-evasion techniques by mimicking user actions (like moving a cursor and clicking on documents), using non-intrusive monitoring techniques, while others give control over the execution flow back to the researcher.
In most sandboxes, the workflow is such that you configure the VM environment, hit the run button and wait for results. If the malware detects the sandbox in the middle of the simulation, it can try to erase itself from the disk, terminate execution, or hide malicious actions, and there’s nothing you can do to prevent that.
In an interactive sandbox, however, researchers can control the simulation by performing actions that would typically trigger the malware. From the user’s perspective, the simulation process resembles using a standard virtual machine. However, behind the scenes, the sandbox continues to gather behavioral artifacts. Right now, this is the closest one can get to running the simulation on a physical system that’s been set up for malware analysis, without actually going through the hassle of setting one up.
An essential part of a security system
As the threat landscape evolves, sandboxes like ANY.RUN have become crucial in the arsenal of cybersecurity professionals. They provide a safe environment for analyzing malware, extracting valuable intelligence, and informing the configuration of defensive systems. By staying ahead of emerging threats, organizations can strengthen their security posture and mitigate the risk of potential breaches.
However, sandboxes are just one component of a robust cybersecurity strategy. They should be part of a comprehensive approach that includes firewalls, intrusion detection and prevention systems, data loss prevention, access control systems, and ongoing security training for employees.
By combining these elements, organizations can create a multi-layered defense that protects against both known and unknown threats. This ensures a secure and resilient network in the face of an ever-changing online environment.
About the Author
Jack Zalesskiy is a technology writer at ANY.RUN with five years of experience under his belt. He closely follows malware incidents, data breaches, and the way in which cyber threats manifest in our day-to-day lives.
Jack can be reached online at firstname.lastname@example.org and at our company website ANY.RUN – Interactive Online Malware Sandbox