Security Sandboxes Challenged by Evolving Malware


Malware is working hard to undermine and punish those who employ security sandboxes.  Security innovators are working hard to stay one step ahead.

Security sandboxes are a crucial tool in the battle against the constantly evolving efforts of malware writers.  Suspicious files can be placed in a digital sandbox where security can watch, look, and listen to determine what the code does, who it communicates with, and if it plays nice as expected.  This helps determine if file is benign or malicious.  The sandbox itself is a façade, designed to look and feel like a vulnerable system, yet in reality it is an isolated laboratory which is reinforced to allow malicious files to execute but not cause any real damage.  It is all under the control and watchful eye of the security toolset.  After analysis is complete, the entire digital sandbox is deleted, with whatever potentially harmful activities and changes disappearing with it.

Many security vendors incorporate this technology to conduct analysis of downloads, executables, and even software updates to prosecute the malicious or allow good files to flow.  Similar tools are employed by forensic experts to dissect malware and unravel the inner workings.  The stratagem has proven worthwhile at confidently detecting dangerous code.  So much so, malware writers began embedding features into their software to detect when they have been put in a sandbox.  In order to remain elusive, upon detection the code either goes silent, temporarily acts innocent, or takes the preemptive measure of deleting itself, in hopes of avoiding being scrutinized by security researchers.

Security has responded by making sandboxes stealthier to avoiding detection and allow malware to show its true nature, in a safe environment.  This hide-and-seek game has escalated, with new features being employed on both sides to remain undetected while attempting to discover their counterpart.

In most instances it is passive contest.  That is, until Rombertik.  Given the adversarial nature of the industry, nothing stays secure forever, even security tools.  Rombertik takes a different approach and goes on the offensive to cause harm, incurring a discouraging cost on those employing security tools.


Our security colleagues at Cisco have done a great job highlighting the anti-sandbox advances of the Rombertik malware in the Cisco 2015 Midyear Security Report.  They show how the creators of Rombertik have taken a divergent path from their more docile predecessors.  Instead of being passive and self-deleting or remaining quiet, it lashes out at the very systems attempting to analyze it.  It contains a number of mechanisms to undermine, overflow, and detect sandboxes.  Once it believes it is under the microscope, it attacks.  It attempts to overwrite the machine’s Master Boot Record (MBR) or destroy all files in the user’s home folder, with the goal of making the system inoperable after reboot.

The Cisco report states “Rombertik may be a harbinger of what’s to come in the malware world, because malware authors are quick to adopt their colleagues’ successful tactics”.  It is an insightful report and I strongly recommend reading it.

The idea of a safe area to test suspicious code is not new.  The original instantiation was simply an extra PC, which could be isolated and completely wiped after the analysis.  But that was not a very scalable or terribly efficient practice.  The revolution really came when software could create virtual sandboxes as needed.  Such environments are quick to create, easy to configure, and simple to delete and start anew.  Dozens or even hundreds could be created and be running simultaneously, each testing for malware.  But software has some inherent security limitations.  Malware can sometimes ‘jail break’ and escape the protected sandbox to cause real harm.  Additionally, the most sophisticated attackers can actually turn the tables to get under the virtual environment so the security environment is running in a sandbox managed by the attacker!

This maneuvering gets more complex over time as both sides escalate their tactics through innovation.  How much longer can software created sandboxes remain one step ahead?  Nobody is sure.

What is needed is a more robust means of building improved sandboxes.  Beneath software resides the hardware, which has the advantage of being the lowest part of the stack.  You cannot get ‘under’ the hardware and it is much more difficult to compromise than operating systems, applications, and data which run above.  Hardware advances may revolutionize the game with better sandboxes, more difficult to detect and undermine.  I think time will tell, but it seems to be where the battle is heading.  What cannot be foretold is if changes in hardware will be the winning salvo or just a new battlefield for the attackers and defenders to continue to maneuver in the game of cybersecurity.


Twitter: @Matt_Rosenquist

IT Peer Network: My Previous Posts


Published on Categories Archive
Matthew Rosenquist

About Matthew Rosenquist

Matthew Rosenquist is a Cybersecurity Strategist for Intel Corp and benefits from 20+ years in the field of security. He specializes in strategy, measuring value, and developing cost effective capabilities and organizations which deliver optimal levels of security. Matthew helped with the formation of the Intel Security Group, an industry leading organization bringing together security across hardware, firmware, software and services. An outspoken advocate of cybersecurity, he strives to advance the industry and his guidance can be heard at conferences, and found in whitepapers, articles, and blogs.