Skip to main content
SpringerLink
Log in

SandPrint: Fingerprinting Malware Sandboxes to Provide Intelligence for Sandbox Evasion

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9854))

Abstract

To cope with the ever-increasing volume of malware samples, automated program analysis techniques are inevitable. Malware sandboxes in particular have become the de facto standard to extract a program’s behavior. However, the strong need to automate program analysis also bears the risk that anyone that can submit programs to learn and leak the characteristics of a particular sandbox.

We introduce SandPrint, a program that measures and leaks characteristics of Windows-targeted sandboxes. We submit our tool to 20 malware analysis services and collect 2666 analysis reports that cluster to 76 sandboxes. We then systemically assess whether an attacker can possibly find a subset of characteristics that are inherent to all sandboxes, and not just characteristic of a single sandbox. In fact, using supervised learning techniques, we show that adversaries can automatically generate a classifier that can reliably tell a sandbox and a real system apart. Finally, we show that we can use similar techniques to stealthily detect commercial malware security appliances of three popular vendors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We omit the vendor names not to pinpoint to weaknesses of individual appliances.

References

  1. Amnpardaz Sandbox - File Analyzer. http://jevereg.amnpardaz.com/

  2. Anubis: Malware Analysis for Unknown Binaries. https://anubis.iseclab.org/

  3. Bkav - Scan virus online. http://quetvirus.vn/default.aspx?lang=en

  4. bochs: The Open Source IA-32 Emulation Project. http://bochs.sourceforge.net

  5. Dr. Web Online Check. http://online.drweb.com/?lng=en

  6. FortiGuard Center. Online Virus Scanner. http://www.fortiguard.com/virusscanner

  7. Gary‘s Hood. Online Virus Scanner. http://www.garyshood.com/virus/

  8. Malwr - Malware Analysis by Cuckoo Sandbox. https://malwr.com/

  9. NVMTrace: Proof-of-concept Automated Baremetal Malware Analysis Framework. https://code.google.com/p/nvmtrace/

  10. Oracle VM VirtualBox. https://www.virtualbox.org

  11. #totalhash. https://totalhash.cymru.com/upload/

  12. http://www.Vicheck.ca

  13. Virusblokada. http://anti-virus.by/en/index.shtml

  14. VirusTotal - Free Online Virus, Malware and URL Scanner. https://www.virustotal.com/en/

  15. VMware. http://www.vmware.com/

  16. Bayer, U., Milani Comparetti, P., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Network and Distributed System Security Symposium (NDSS) (2009)

    Google Scholar 

  17. Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC 2005 (2005)

    Google Scholar 

  18. Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Heidelberg (2016). doi:10.1007/978-3-319-40667-1_11

    Chapter  Google Scholar 

  19. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: USENIX Security (2011)

    Google Scholar 

  20. Comodo. Comodo Instant Malware Analysis. http://camas.comodo.com/

  21. Cristianini, N., Shawe-Taylor, J.: An Introduction to Support Vector Machines and Other Kernel-based Learning Methods. Cambridge University Press, Cambridge (2000)

    Book  MATH  Google Scholar 

  22. DEXLabs. Detecting Android Sandboxes (2012). http://www.dexlabs.org/blog/btdetect

  23. Dinaburg, A., Royal, P., Sharif, M., Ether, L.W.: Malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008 (2008)

    Google Scholar 

  24. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44, 2 (2008)

    Google Scholar 

  25. F-Secure. Sample Analysis System. https://analysis.f-secure.com/portal/login.html

  26. Freiling, F.C., Holz, T., Wicherski, G.: Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks. In: di Vimercati, S.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 319–335. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  27. Jing, Y., Zhao, Z., Ahn, G.-J., Hu, H.: Morpheus: automatically generating heuristics to detect android emulators. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014 (2014)

    Google Scholar 

  28. Jotti. Jotti’s Malware Scan. http://virusscan.jotti.org/en

  29. Jung, P.: Bypassing Sandboxes for Fun. https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.7-Bypassing-Sandboxes-for-Fun.pdf

  30. Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: Proceedings of the 23rd USENIX Conference on Security Symposium, SEC 2014 (2014)

    Google Scholar 

  31. Kirati, D., Vigna, G., Kruegel, C.: BareBox: efficient malware analysis on bare-metal. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 2011 (2011)

    Google Scholar 

  32. Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M., Kirda, E.: AccessMiner: using system-centric models for malware protection. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010 (2010)

    Google Scholar 

  33. Maier, D., Müller, T., Protsenko, M.: Divide-and-Conquer: why android malware cannot be stopped. In: Proceedings of the 2014 Ninth International Conference on Availability, Reliability and Security, ARES 2014 (2014)

    Google Scholar 

  34. Martignoni, L., Paleari, R., Roglia, G.F., Bruschi, D.: Testing CPU emulators. In: Proceedings of the Eighteenth International Symposium on Software Testing and Analysis, ISSTA 2009 (2009)

    Google Scholar 

  35. Microsoft. Submit a sample - Microsoft Malware Protection Center. https://www.microsoft.com/security/portal/submission/submit.aspx

  36. Neugschwandtner, M., Comparetti, P. M., Platzer, C.: Detecting malware’s failover C&C strategies with squeeze. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC 2011 (2011)

    Google Scholar 

  37. Neuner, S., van der Veen, V., Lindorfer, M., Huber, M., Merzdovnik, G., Mulazzani, M., Weippl, E.: Enter Sandbox: Android Sandbox Comparison (2015). http://arxiv.org/ftp/arxiv/papers/1410/1410.7749.pdf

  38. OPSWAT. Metascan Online: Free File Scanning with Multiple Antivirus Engines. https://www.metascan-online.com/#!/scan-file

  39. Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: IoTPOT: analysing the rise of IoT compromises. In: Proceedings of the 9th USENIX Workshop on Offensive Technologies, WOOT (2015)

    Google Scholar 

  40. Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.A.: Fistful of red-pills: how to automatically generate procedures to detect CPU emulators. In: Proceedings of the 3rd USENIX Conference on Offensive Technologies, WOOT 2009 (2009)

    Google Scholar 

  41. Pék, G., Bencsáth, B., Buttyán, L.: nEther: in-guest detection of out-of-the-guest malware analyzers. In: Proceedings of the Fourth European Workshop on System Security, EUROSEC 2011 (2011)

    Google Scholar 

  42. Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the Seventh European Workshop on System Security, EuroSec 2014 (2014)

    Google Scholar 

  43. Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1–18. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  44. Rieck, K., Schwenk, G., Limmer, T., Holz, T., Laskov, P.: Botzilla: detecting the phoning home of malicious software. In: Proceedings of the 2010 ACM Symposium on Applied Computing (ACSAC 2010) (2010)

    Google Scholar 

  45. Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639–668 (2009)

    Article  Google Scholar 

  46. Rossow, C., Dietrich, C., Bos, H.: Large-scale analysis of malware downloaders. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 42–61. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  47. Rutkowska, J.: Red Pill... Or How To Detect VMM Using (Almost) One CPU Instruction (2004). http://www.securiteam.com/securityreviews/6Z00H20BQS.html

  48. Payload Security: Free Automated Malware Analysis Service. https://www.hyblid-analysis.com/

  49. Payload Security: Blog article (2015). http://www.pandasecurity.com/mediacenter/press-releases/pandalabs-neutralized-75-million-new-malware-samples-2014-twice-many-2013/

  50. ThreatTrack Security. Free Online Malware Analysis. http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx

  51. Symantec. Internet Security Threat Report 04/2015 (2015). http://www.symantec.com/de/de/security_response/publications/threatreport.jsp

  52. ThreatExpert. http://www.threatexpert.com/submit.aspx

  53. Vasudevan, A., Yerraballi, R.: Cobra: fine-grained malware analysis using stealth localized-executions. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, S&P 2006 (2006)

    Google Scholar 

  54. Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2014 (2014)

    Google Scholar 

  55. VirSCAN.org. Free Multi-Engine Online Virus Scanner. http://www.virscan.org/

  56. Yoshioka, K., Hosobuchi, Y., Orii, T., Matsumoto, T.: Your sandbox is blinded: impact of decoy injection to public malware analysis systems. J. Inf. Process. 52, 3 (2011)

    Google Scholar 

Download references

Acknowledgements

We would like to thank the anonymous reviewers for their valuable comments. Special thanks goes to our shepherd Michael Bailey, who supported us during the process of finalizing the paper. This work was supported by the MEXT Program for Promoting Reform of National Universities and by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) and for the BMBF project 13N13250.

Author information

Authors and Affiliations

  1. Yokohama National University, Yokohama, Japan

    Akira Yokoyama, Kou Ishii, Rui Tanabe, Yinmin Papa, Katsunari Yoshioka, Tsutomu Matsumoto & Christian Rossow

  2. National Institute of Information and Communications Technology, Koganei, Japan

    Takahiro Kasama & Daisuke Inoue

  3. Center for IT-Security, Privacy, and Accountability, CISPA, Saarland University, Saarbrücken, Germany

    Michael Brengel, Michael Backes & Christian Rossow

Authors
  1. Akira Yokoyama
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kou Ishii
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rui Tanabe
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yinmin Papa
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Katsunari Yoshioka
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Tsutomu Matsumoto
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Takahiro Kasama
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Daisuke Inoue
    View author publications

    You can also search for this author in PubMed Google Scholar

  9. Michael Brengel
    View author publications

    You can also search for this author in PubMed Google Scholar

  10. Michael Backes
    View author publications

    You can also search for this author in PubMed Google Scholar

  11. Christian Rossow
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christian Rossow .

Editor information

Editors and Affiliations

  1. University of North Carolina at Chapel H , Chapel-Hill, USA

    Fabian Monrose

  2. Qatar Computing Research Institute , Doha, Qatar

    Marc Dacier

  3. Université Paris-Saclay , Evry, France

    Gregory Blanc

  4. TELECOM SudParis , EVRY, France

    Joaquin Garcia-Alfaro

Appendix

Appendix

See Fig. 3.

Fig. 3.
figure 3

Mapping between submitted SandPrint instances and sandboxes. The non-circle shapes indicate constant and exclusive use of a sandbox by a particular service and thus are inferred as being a sandbox attached to the service. A cross indicates that the mapping is confirmed by mapping the SandPrint report to the dynamic analysis report provided by the service.

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Yokoyama, A. et al. (2016). SandPrint: Fingerprinting Malware Sandboxes to Provide Intelligence for Sandbox Evasion. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45719-2_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45718-5

  • Online ISBN: 978-3-319-45719-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation