{"id":28110,"date":"2019-08-26T06:09:10","date_gmt":"2019-08-26T10:09:10","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=28110"},"modified":"2021-05-14T09:44:51","modified_gmt":"2021-05-14T13:44:51","slug":"kaspersky-sandbox-patent","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/kaspersky-sandbox-patent\/28110\/","title":{"rendered":"A honeytrap for malware"},"content":{"rendered":"

I haven\u2019t seen the sixth\u00a0Mission Impossible<\/a><\/em>\u00a0movie, and I don\u2019t think I will. I sat through the fifth \u2014 in suitably zombified state, returning home on a long-haul flight after a tough week\u2019s business \u2014 but only because one scene in it was shot in our shiny new modern\u00a0London office<\/a>. And that was one Mission Impossible<\/em> installment too many, really. Nope \u2014 not for me. Slap, bang, smash, crash, pow, wow. Oof. Nah, I prefer\u00a0something<\/a>\u00a0a little more challenging, thought-provoking and just plain interesting. After all, I have precious little time as it is!<\/p>\n

I really am giving Tom Cruise and Co. a major dissing here, aren\u2019t I? But hold on. I have to give them their due for at least one scene done really rather well (i.e., thought-provoking and plain interesting!). It\u2019s the one where the good guys need to get a bad guy to rat on his bad-guy colleagues, or something like that. So they set up a fake environment in a \u201chospital\u201d with \u201cCNN\u201d on the \u201cTV\u201d broadcasting a news report about atomic Armageddon. Suitably satisfied his apocalyptic manifesto has been broadcast to the world, the baddie gives up his pals (or was it a login code?) in the deal arranged with his interrogators. Oops.\u00a0Here\u2019s the clip<\/a>.<\/p>\n

Why do I like this scene so much? Because, actually, it demonstrates really well one of the methods of detecting \u2026 previously unseen cyberthreats! There are in fact many such methods \u2014 they vary depending on area of application, effectiveness, resource use, and other parameters (I\u00a0write<\/a>\u00a0about them regularly here). But one always seems to stand out:\u00a0emulation<\/a>\u00a0(about which I\u2019ve also written\u00a0plenty<\/a>\u00a0here before).<\/p>\n

As in the MI<\/em> movie, an emulator launches the object being investigated in an isolated, artificial environment, which encourages it to reveal its maliciousness.<\/p>\n

But there\u2019s one serious downside to such an approach \u2014 the very fact that the environment is artificial. The emulator does its best to make that artificial environment seem as much as possible like a real operating system environment, but ever-increasingly smart malware still manages to distinguish it from the real thing \u2014 and then the emulator sees how the malware recognized it, regroups and improves its emulation, and on and on in a never-ending cycle that regularly opens the window of vulnerability on a protected computer. The fundamental problem is that no emulator has yet been the spitting image of a real OS.<\/p>\n

On the other hand, there\u2019s another option for tackling the behavioral analysis of suspicious objects: analysis \u2014 on a\u00a0real<\/em>\u00a0operating system \u2014 one on a virtual machine. Well, why not? If the emulator never quite fully cuts it, let a real, albeit virtual, machine have a go! It would be the ideal \u201cinterrogation\u201d \u2014 conducted in a real environment, not an artificial one, but with no real negative consequences.<\/p>\n

On hearing about this concept, some may rush to ask why no one thought of it before. After all, virtualisation has been in the tech-mainstream since 1992. Well, as it turns out, it\u2019s not so simple.<\/p>\n

First, analyzing suspicious objects in a virtual machine is a resource-intensive process, suited only to heavyweight enterprise-grade security solutions, where scanning needs to be super-intensive so that absolutely zero maliciousness gets through the defenses. Alas, for home computers, let alone smartphones, this technology isn\u2019t suitable \u2014 yet.<\/p>\n

Second, such things actually do exist. In fact, we already use this technology \u2014 internally, here at the\u00a0K<\/em>ompany \u2014 for internal investigations. But in terms of market-ready products, not many are available yet. Competitors have released similar products, but their effectiveness leaves a lot to be desired. As a rule, such products are limited to just collecting logs and basic analysis.<\/p>\n

Third, launching a file on a virtual machine is just the beginning of a very long and tricky process. After all, the aim of the exercise is to have the maliciousness of an object reveal itself, and for that you need a smart hypervisor, behavior logging and analysis, constant fine-tuning of the templates of dangerous actions, protection from anti-emulation tricks, execution optimization, and much more.<\/p>\n

Here I can say without false modesty that we truly are way ahead \u2014 of the whole planet!<\/p>\n

Recently we were granted a U.S. patent (US10339301<\/a>) covering the creation of a suitable environment for a virtual machine for conducting deep, rapid analysis of suspicious objects. Here\u2019s how it works:<\/p>\n