The creators of mass Trojans go to great lengths to execute their malicious code on victims’ computers. However, the masterminds behind complex threats and APT attacks spend no less effort on developing mechanisms not to execute their code. That way, they can bypass security technologies — in particular, sandboxes.
Sandboxes and evasion techniques
One of the basic tools for identifying malicious activity is the so-called sandbox. Essentially, it is a controlled, isolated environment. Security solutions can execute suspicious code in this environment and analyze all of its actions with no harm to the system. If a solution detects any malicious activity, it blocks execution of this code outside the sandbox.
This containment method is very effective against mass threats. Security vendors implement the sandboxing mechanism in one form or another in most security solutions. Therefore, cybercriminals have developed technologies whose sole purpose is to determine whether the malware is running in a controlled environment or in the workstation’s actual operating system. The simplest methods involve trying to access an outside server (blocked by regular sandboxes) or checking system parameters. If something is off, the malware usually self-destructs, leaving no trace of the attack and thus complicating the researchers’ work. More advanced threats also check for a real user in the system; if the code is running with no trace of real human activity, it may be running in a sandbox.
Naturally, we’ve responded by improving our anti-evasion technologies. In particular, our infrastructure incorporates a powerful sandbox armed with mechanisms capable of emulating various environments and Kaspersky’s accumulated knowledge about all kinds of possible malicious activity. Researchers can use part of the sandbox functionality remotely, through our Kaspersky Cloud Sandbox solution.
But using a remote sandbox doesn’t always work for large companies that have dedicated security operation centers. First, many internal and external regulations prohibit the transfer of any information to third-party servers. That includes suspicious code. Second, malware tailored for attacks on individual companies can check for conditions specific to a particular infrastructure (for example, the presence of highly specialized software). Therefore, our solution, Kaspersky Research Sandbox, can be deployed within the corporate infrastructure.
Kaspersky Research Sandbox key features
Kaspersky Research Sandbox does not transfer anything from the infrastructure — if necessary, it can work through Kaspersky Private Security Network, which operates in data-diode mode. But its main advantage is that it allows researchers to build their own emulation environment. That means they can create an exact isolated copy of a typical workstation that employees use at their company with all specific software and network settings, and investigate the behavior of suspicious objects on that copy.
What’s more, Kaspersky Research Sandbox technologies not only use advanced behavior analysis tools to track everything that happens in this isolated environment, but they also mimic human activity in the system. Therefore, our sandbox enables the detonation, analysis, and detection of advanced threats, even if they are tailored specifically for your infrastructure.
The solution can emulate machines running Microsoft Windows or Android. You can learn more about Kaspersky Research Sandbox on the solution's dedicated page.