Zero-day exploits pose some of the most serious risks to users everywhere. The absence of a patch means that it is up to users (and whatever security products they use) to protect against these attacks. One of the tools that can be used in mitigating these attacks is advanced network detection solutions like Trend Micro Deep Discovery, which contains a sandbox that allows for on-the-fly analysis of various threats entering an organization's network. This allows it to detect even attacks that use zero-day exploits without any updates being necessary, providing immediate protection to users. Problems for common sandboxes In today's threat environment, sandboxing is necessary to defend against persistent threats. These generally rely on behavioral analysis within a virtual environment to detect various threats. As they become more commonplace, attackers will attempt to find methods to evade these sandboxes. This means that attackers need to only exert some effort to show less behavior in a sandbox, such as anti-VM and anti-sandbox techniques. It is important for sandboxes to reflect user environments as accurately as possible; Deep Discovery's custom sandbox can be configured by administrators. This poses a challenge in the traditional field of file detection, which has expanded in recent years to exploits. There are several critical challenges to typical sandboxes:
- The exploit is used to not only deploy a payload, but also to conceal it. The malware payload is encrypted so that the sandbox cannot identify if it is an executable file. The shell code in the exploit is responsible for decrypting the payload before it can be executed. In the simplest cases, the malware payload is simply XOR-ed; however we have seen more complex algorithms used. Some payloads are even designed to execute in memory directly, which means you cannot get a completed PE file to execute within the sandbox. A common sandbox cannot easily detect malware that uses this evasion method.
- Exploits evades the sandbox as well. Typical sandboxes run specific file types such as .SWF, .JAR, .PDF, in order to check if these files contain exploit code. identify whether it’s an exploit. Attackers know all about this, however, and try to evade it. The exploit code can include lines that will check the running environment of the exploit, or parameter/function calls from HTML. The exploit code won’t run if it is opened directly, or in an incorrect context.
Figure 1. Structure of a custom sandboxScript behavior can tell us an exploit's anomalous object usage, function calls, and heap sprays. Variables can also be analyzed for ROP/shellcode data. Meanwhile, shellcode data can detect an exploit's usage of stacks and heaps caused by ROP/shellcode execution, and anomalous file/registry operations in application processes. Analysis of payloads can reveal the scope of their impact on systems, such as created autorun routines, dropped files, and connections to C&C servers. This is the same kind of analysis used in traditional behavior analysis. Why is a smart sandbox necessary? More and more exploit kits are using advanced obfuscation and evasion techniques: