Sandbox detection for the masses: leak, abuse, test

Botconf 2015
2023-04-28 | 14:00 – 14:20

Zoltan Balazs 🗣

Manual processing of malware samples became impossible years ago. Sandboxes are used to automate the analysis of malware samples to gather information about the dynamic behaviour of the malware, both at AV companies and at enterprises. Some malware samples use known techniques to detect when it runs in a sandbox, but most of these sandbox detection techniques can be easily detected and thus flagged as malicious. During my research I invented new approaches to detect these sandboxes. I developed (and will publish during my presentation) a tool, which can collect a lot of interesting information from these sandboxes to create statistics how the current technologies work (and fail). After analyzing these results I will demonstrate tricks to detect sandboxes. These tricks can not be flagged easily as malicious. Some sandboxes are not interacting with the internet, in order to block data extraction, but with some DNS-fu the information can be extracted from these appliances as well.

Slides Icon


Paper Link Icon

Scroll to Top