(IN)Secure Magazine: Hyper-Evasive Threats are Killing Sandboxing

A new generation of hyper-evasive malware is defeating legacy sandboxing technology and driving new security countermeasures underpinned by the elastic processing capacity of the cloud, as Cyren’s VP of Threat Research explains in an article in the September issue of (IN)SECURE Magazine

In the article, Sigurdur Stefnisson reviews the evolution of threats from basic malware to…polymorphic malware to newly hyper-evasive malware.

In a survey of IT managers published in July, over 50% of respondents said they had implemented appliance sandboxing at their companies, underscoring how popular the measure has become. Given that pervasiveness, it is no surprise that criminal cybergangs have responded by investing in the development of techniques to evade detection by sandboxes. The article walks through the limitations of traditional first-generation sandboxes which are being exploited by the malware code writers, which include:

  • The finite memory and processing power available in an appliance, which limits the total possible analysis load and depth of analysis performed
  • The reliance on virtualized environments, the presence of which can be detected by malware
  • The lack of diversity in the tests employed, limited to those of the specific sandbox vendor
  • The fact that any specific sandbox is best at one kind of analysis, e.g., operating system or registry or network behavior analysis — it’s hard to be great or even good at everything!

The article also contains a list of all the techniques a Cyren researcher found being used by one specific sample of the Cerberus ransomware to evade detection, listing 29 check functions performed by the malware.

To exponentially shift the detection curve in the face of such tactics, Cyren recently launched a next-generation cloud sandboxing array as part of its lineup of web security services for businesses, which fully applies the elastic processing power of the cloud to the problem.