Thursday 6 October 11:00 - 11:30, Green room
Stanislav Skuratovich (Check Point Software Technologies)
Aliaksandr Chailytko (Check Point Software Technologies)
In the real world, special virtualized environments, called sandboxes, are used to analyse malware behaviour and prevent it from spreading and damaging real users' personal data, important corporate assets, etc. In our research, we focus on how to fight against the detection of sandboxes by malware and demonstrate some of the different techniques used by malware authors to detect virtual environments that are disregarded by leading vendors. We also present some solutions to counter these detection techniques.
We also discuss Cuckoo Sandbox, a leading open-source automatic malware analysis system that is widely used in the world of security. Cuckoo Sandbox is easy to deploy and contains features which perform many key aspects of malware analysis, such as collecting information about the malware behaviour, capturing network traffic, processing reports, and more. Nearly all the largest players on the market, including VirusTotal and Malwr, utilize Cuckoo Sandbox as a platform to perform automatic behavioural analysis. Cuckoo Sandbox can also be used as a backend for anti-malware-related projects. We describe Cuckoo Sandbox bugs, which allow malware to detect a sandboxed environment, as well as possible solutions for these issues.
Malware authors can use evasion techniques against a virtual environment simply by running some specially crafted code. If a sandbox is detected, then the malware may choose, for example, one of the following behaviours:
If false information is received and used in products, the endpoint users are not protected against threats. Proposed solutions will lead to increased successful emulation rate and delivery of more relevant information as well as contributing to the overall improvement of virtual environments, especially ones that use Cuckoo Sandbox.
Stanislav Skuratovich was born in Minsk, Belarus in 1992. During his studies he was interested in how things work from the inside. Such interest opened up the gates to the world of reverse engineering. He started to work as a Linux embedded software engineer, but a year later, at the beginning of 2015, he joined Check Point Software Technologies. Now, he works there as a malware researcher. He really likes to travel and visit new places. His hobbies include outdoor activities, CTFs (especially pwning) and he really likes to learn new stuff.