Traditional sandboxes or computer security mechanism fail to offer the required protection against sophisticated attackers, according to a new report by FireEye.
Advanced malware is using several techniques to thwart signature-based defences during attacks.
A new report titled, Hot Knives Through Butter: How Malware Evades Automated File-based Sandboxes, indicates that businesses today have to deal with malware that can easily disable host protections with a range of techniques.
This polymorphic and sophisticated malware has the ability to dilute or diffuse single-flow, file-based sandbox solutions.
“Malware is increasingly able to determine when it is running in a virtual environment and alter its behaviour to avoid detection,” said Zheng Bu, senior director of research and co-author of the report. “Effective detection requires analysing the context of behaviour and correlating disparate phases of an attack through multi-flow analysis.”
Understanding malware authors
Security professionals are advised to understand the techniques used by malware authors to escape being detected from file-based sandboxes. This will help in better identification of Advanced Persistent Threat (APT) attacks.
Research team from the FireEye Labs used the Multi-Vector Virtual Execution (MVX) engine’s real-time detection capability to identify new evasion techniques.
FireEye discovered the UpClicker Trojan last year that used mouse clicks to detect human activity. Once the malware detects a click of the left mouse button, it establishes communication with malicious servers to cause harm to users.
Sandboxes are designed to monitor files for a few minutes and then move on to the next file giving cyber criminals an opportunity to wait and attack after the monitoring process is completed.
FireEye also notes virtual-machine tool VMware, which is easily identified by malware authors due to its distinctive configuration.
Sign up for CIO Asia eNewsletters.