SandPrint: Fingerprinting Malware Sandboxes to Provide Intelligence for Sandbox Evasion

  • Akira Yokoyama
  • Kou Ishii
  • Rui Tanabe
  • Yinmin Papa
  • Katsunari Yoshioka
  • Tsutomu Matsumoto
  • Takahiro Kasama
  • Daisuke Inoue
  • Michael Brengel
  • Michael Backes
  • Christian Rossow
Conference paper

DOI: 10.1007/978-3-319-45719-2_8

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9854)
Cite this paper as:
Yokoyama A. et al. (2016) SandPrint: Fingerprinting Malware Sandboxes to Provide Intelligence for Sandbox Evasion. In: Monrose F., Dacier M., Blanc G., Garcia-Alfaro J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science, vol 9854. Springer, Cham

Abstract

To cope with the ever-increasing volume of malware samples, automated program analysis techniques are inevitable. Malware sandboxes in particular have become the de facto standard to extract a program’s behavior. However, the strong need to automate program analysis also bears the risk that anyone that can submit programs to learn and leak the characteristics of a particular sandbox.

We introduce SandPrint, a program that measures and leaks characteristics of Windows-targeted sandboxes. We submit our tool to 20 malware analysis services and collect 2666 analysis reports that cluster to 76 sandboxes. We then systemically assess whether an attacker can possibly find a subset of characteristics that are inherent to all sandboxes, and not just characteristic of a single sandbox. In fact, using supervised learning techniques, we show that adversaries can automatically generate a classifier that can reliably tell a sandbox and a real system apart. Finally, we show that we can use similar techniques to stealthily detect commercial malware security appliances of three popular vendors.

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Akira Yokoyama
    • 1
  • Kou Ishii
    • 1
  • Rui Tanabe
    • 1
  • Yinmin Papa
    • 1
  • Katsunari Yoshioka
    • 1
  • Tsutomu Matsumoto
    • 1
  • Takahiro Kasama
    • 2
  • Daisuke Inoue
    • 2
  • Michael Brengel
    • 3
  • Michael Backes
    • 3
  • Christian Rossow
    • 1
    • 3
  1. 1.Yokohama National UniversityYokohamaJapan
  2. 2.National Institute of Information and Communications TechnologyKoganeiJapan
  3. 3.Center for IT-Security, Privacy, and Accountability, CISPASaarland UniversitySaarbrückenGermany

Personalised recommendations