Dilshan Keragala writes in his excellent 2016 SANS Paper on Detecting Malware and Sandbox Evasion Techniques that “The proposition of Malware Sandbox analysis techniques is an effective remedy to the challenge posed by malware attacks. The concept behind a malware Sandbox analysis system is to capture the malicious program sample in a controlled testing environment (sandbox) where its behavior can be closely studied and analyzed (Messmer, 2013). The automated environment makes it easier to follow the progress of the malware and prepare a database that can be used to study future strains and categorize them into families. Notwithstanding these measures, cyber criminals are developing techniques with which to circumvent the security measures put in place by malware analysts leveraging detection-based sandboxes. They have been coming up with more sophisticated malware to evade the detection techniques of sandboxes (Singh, 2015). In the past, only a few viruses were able to evade detection; today, the number has taken a dramatic increase.”
When using Malware Sandbox analysis, samples of malware are executed to determine their behaviors.
According to Dr. Ralf Hund, C0-Founder and CTP at VMRay, in his PaFish primer, “It’s important to note that virtual machine detection itself is no longer that relevant for malware authors as it had been in the past, and its relevance may vanish completely within the next few years as virtualization becomes a pervasive part of enterprise production environments. However, there still exists a lot of legacy malware that refuses to operate correctly when being executed inside a VM. For modern complex cyberthreats, it is more relevant to hide the specific artifacts of the security solution itself, because this is what actually differentiates the analysis environment from a real victim machine. Depending on the underlying technology it still can become hard -or even impossible- to reach this goal: the more the monitoring component intervenes in the analysis environment, the more complex it becomes to completely hide its tracks.”
Paranoid Fish (pafish) is a tool for detecting malware analysis environments, replicating what malware will do in the wild to detect if it is being analyzed. Dr. Hund writes about Pafish’s detection methods and shows why an agentless sandbox like VMRay Analyzer is not affected by them at all.
Pafish utilizes different checks to detect the presence of a virtual machine and an underlying hardware hypervisor, which all are based on the properties of the CPU.
The first method utilizes the high-performance timestamp counter (TSC). To that end, the rdtsc instruction is executed twice subsequently and the difference between the two resulting timestamps is calculated. If this sequence is executed on a virtual machine and the hypervisor intercepts the rdtsc executions, the resulting time difference is much higher than on a regular system. However, if one has full control over the hypervisor itself, the attack can be easily thwarted.
The second CPU-based attack utilizes rdtsc, pafish uses it to measure the execution time of the cpuid instruction. The trick exploits the fact that on most x86 CPUs this instruction always traps into the hypervisor. On Intel CPUs this behavior cannot be changed at all and on AMD its deactivation results in other problems and ways to detect the VM. However, modern CPUs allows precise calculation of the time needed for instructions such as vmenter, vmexit, or cpuid. This knowledge can be used to transparently hide away the clock cycles that are consumed outside of the guest machine and thus make the hypervisor impossible to be detected by that.
There are two further methods as well.
Generic sandbox detections test the presence of certain artifacts and side-effects which often exist in analysis environments. Pafish is equipped with 10 different generic checks for that purpose.
Pafish is a great tool for hardening your malware analysis environment, though this is not possible in all cases due to the un-remediable side-effects of certain technologies. While in the past virtual machine detection used to be a powerful mechanism for malware to conceal its real behavior, the effectiveness of this approach is diminishing constantly due to the ubiquitous usage of virtualization on productive systems, both server and client-side.
Click here to read more on Pafish.