Defense Against the Dark Arts: Dissecting Sandbox Evasion Techniques

  • Tuesday, 15 Dec 2020 12:30PM EST (15 Dec 2020 17:30 UTC)
  • Speaker: Ben Abbott

When traditional security products fail in preventing malware from infiltrating an organization, a malware analyzer using a sandbox is often the last line of defense. For years, malware authors have found ways to stay one step ahead in the arms race with vendors in this crucial security layer. Building on years of research, the VMRay team tracked and analyzed the evasion techniques that these malware authors use.

Join Ben Abbott, Solutions Engineer at VMRay, as he takes a deeper look at the techniques malware authors use to evade automated dynamic analysis, and what steps can be taken for organizations to restore hope in their defenses:

  • Detecting the presence of a sandbox: Once a malicious file detects the presence of a sandbox during execution, it alters its behavior in an effort to avoid being detected.
  • Exploiting weaknesses in the underlying sandbox technology: This approach typically takes advantage of the fact that most sandboxes use agents, or hooks, to monitor malware activity.
  • Using contextual triggers: This approach gathers information about the malware's context, such as localization or time, and doesn't execute the malicious behavior unless the malware is running in the right context.


VMRay Logo - Dark Blue