Attacks/Breaches

8/14/2013
05:13 PM
Commentary
Commentary
Commentary
50%
50%

The Increasing Failure Of Malware Sandboxing

Virtualization limits of sandboxes impede threat detection

The past three years have seen many organizations adopt and deploy in-house dynamic sandboxing technologies tasked to detect and block specific classes of malware. Most advocates of the approach will point to malware samples that were detected via the sandbox, but missed by conventional antivirus signature systems, and seek to justify the investment through these simple metrics.

A well maintained sandbox system - capable of launching a dozen or more virtual systems running a vanilla Microsoft Windows installation - is sufficient enough to detect a high percentage of the mainstream malware in circulation, and is perfectly suited to detecting serial variants generated by popular malware construction kits (assuming that no anti-virtual machine evasion code has been included).

Organizations that have deployed the myriad of commercial malware sandboxing appliances have, after a year of observing their operation, increasingly come to ask two important questions. Are the malware I'm capturing really a threat to my business, and why haven't the number of infected devices I detect weekly gone down?

The answers to both questions are closely related.

Because the sandboxing appliances must operate multiple virtual machines, they are restricted to virtualizing specific operating system images. Some appliances come with a default set of ISO images (typically Windows XP SP3 with a suite of common business applications), while others allow you to run a 32-bit corporate "Gold Image". The latter ISO image type is much preferred, as it more adequately represents an organizations desktop environment.

If your organization has deployed Apple, Android, Linux or other non-Windows legacy devices, or is running 64-bit systems, then it's unlikely that your sandbox is doing anything meaningful against threats that target those operating systems. The same applies to the applications your organization installs (or allows to be installed) on corporate systems. If a malware sample exploits vulnerabilities in a specific piece of software and that software isn't included in the ISO image you're running in your sandbox, then of course it'll pass through undetected.

I'm reminded of Gartner's Hype Cycle and the "trough of disillusionment" after a much hyped technology is finally deployed and reaches an operational status. For years now anti-malware sandbox vendors have been touting the approach as a solution to targeted attacks and APT's yet, with even a basic understanding of how these various sandbox technologies operate, it should be obvious what their detection limits are likely to be.

The sandboxing appliances popularly deployed today are performing well against your average"0-day" malware threat, but capabilities decline dramatically the more targeted an adversary becomes. As such, organizations are much better at stopping the generic non-targeted "Internet threats", but becoming more vulnerable to marginally tuned malware. For example, any piece of malware that requires the user to perform an action at a specific time (before it acts maliciously) is sufficient to evade detection in most cases.

Incident response teams and others tasked with malware investigation within large corporations appreciate the fact that sandboxing approaches are helping to keep the mainstream malware "noise" out of their enterprise networks, but are struggling in their communications to upper management the fact that these recent protection investments have had little effect against espionage and other targeted malware attacks.

Until such time that sandboxing technology can virtualize every hardware platform or device used within an organization, emulate every programming or scripting language present on the desktops or BYOD gadgets that employees chose to bring to work, or execute every version of software application used within a particular business, then you're going to have to keep on investing in technologies and resources capable of detecting and mitigating non-generic Internet threats.

Even if that was possible, malware sandboxing approaches will only capture the threats that come in through the front-door -- not threats that get transported between networks via roaming devices. So, as business operations embrace the cloud, BYOD, VPN dual tunneling, and expand their home-office workforce, centralized sandboxing approaches will rapidly diminish in efficacy -- and malware authors continue to have the upper-hand.

Gunter Ollmann, CTO, IOActive Inc.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DamianoB592
50%
50%
DamianoB592,
User Rank: Apprentice
8/15/2013 | 9:55:38 PM
re: The Increasing Failure Of Malware Sandboxing
I don't fully agree with this phrase "malware sandboxing approaches will only capture the threats that come in through the front-door" - is it a problem of placing the sandbox probe in the right spot or a technological issue? I would rephrase it in "malware sandboxing will only detect mainstream malware", but I wouldn't point at the "placement issue" as the main motivation for failing.
Robertd725
50%
50%
Robertd725,
User Rank: Apprentice
8/27/2013 | 1:22:54 PM
re: The Increasing Failure Of Malware Sandboxing
The point on fixed application stacks is absolutely correct. Extending the point to mobile devices is less. Larger enterprises worry more about sensitive data leakage from mobile devices than mobile devices becoming an attack vector to their wired networks. These are protected by the multiple wired security enforcement points that have been deployed over the years (within the limitations of their signature and fixed stack sandbox based solutions.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Compliance and Risk Management Officer, AvePoint, Inc,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10006
PUBLISHED: 2018-08-20
Jsish version 2.4.65 contains a CWE-476: NULL Pointer Dereference vulnerability in Function jsi_ValueCopyMove from jsiValue.c:240 that can result in Crash due to segmentation fault. This attack appear to be exploitable via a crafted javascript code. This vulnerability appears to have been fixed in 2...
CVE-2018-10006
PUBLISHED: 2018-08-20
The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This ...
CVE-2018-10006
PUBLISHED: 2018-08-20
Rust Programming Language Rust standard library version Commit bfa0e1f58acf1c28d500c34ed258f09ae021893e and later; stable release 1.3.0 and later contains a Buffer Overflow vulnerability in std::collections::vec_deque::VecDeque::reserve() function that can result in Arbitrary code execution, but no ...
CVE-2018-10006
PUBLISHED: 2018-08-20
JabRef version <=4.3.1 contains a XML External Entity (XXE) vulnerability in MsBibImporter XML Parser that can result in disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted MsBib file. This vuln...
CVE-2018-10006
PUBLISHED: 2018-08-20
zzcms version 8.3 and earlier contains a SQL Injection vulnerability in zt/top.php line 5 that can result in could be attacked by sql injection in zzcms in nginx. This attack appear to be exploitable via running zzcms in nginx.