Malware Sandboxing and Reverse engineering overview

Sandboxing is a technique used to allow malware to execute in a contained and controlled environment. This environment does however need to look real to the software in order to study and watch its normal behavior, but, if any wrong behavior or characteristic is detected it will be quarantined or deleted.

In a few words, you can see the sandbox as a free-pass to malware, you can do your thing but in a controlled scenario, with the goal to mimic end-users operating environments as much as possible. This is a good practice for executing bad code without risking too much.

Many enterprises use next-generation antiviruses and firewalls for extended sandboxing techniques. A very known example of this is the SonicWall solution which is a network platform or APT blocker. Again, scenarios.

You may be thinking, why a firewall? well, it’s pretty common to find a lot of emphasis on network security in sandboxes, but you can find varieties of it. However, a sandbox can be a full system implementation (a complete server), or an emulated or virtualized OS.

If your enterprise uses any advanced firewall, it’s obvious that you will have in addition an intrusion filter. When incoming data, you can find or run processing stages. As example:

1. Get to know your malware source filtering (bad sites blacklisting)
2. Apply some SSL decryption and signature-based filtering. This actively removes files with hashes, then analyzes content and connections.
3. Once both previous steps are done, it comes to the sandbox analysis, which consists of evaluating software behavior, libraries, modules, and whatever resource present in a deep way

Using integrated sandboxing can sometimes be a complete headache, due to its passive mode. This easily allows the content to pass through, and malware may propagate before action is taken. Malware hashes may not be effective against polymorphic malware

Sandboxes are way ahead of evaluating signature-based malware, of course, they can work with it, but now they are powered with IA, the defenses and definitions are only as good as the models powering the solutions. However, this is an endless marathon.

Malware coders can still evade sandbox environments, this is based on their creativity but there are some known techniques for doing so, worth mentioning techniques for detecting the sandbox (different from real-scenarios), exploiting gasps and weaknesses from the sandbox itself, or setting some triggers or “logic bombs” that can trigger delayed instructions.

Since sandboxing can be considered a study mechanism of malware behavior we can move on directly to the reverse engineering of it. If you are not familiar with the term, this is a technique used to go backward from an executable piece of software and reconstruct the base of understandable code elements and capabilities.

This is typically done when the source of the executable code is not available.

On a personal note, Reverse engineering is the hardest topic in software, period. It requires a solid foundation of low-level code and assembler language. If you are into malware coding, or if you are an experienced developer you should be familiar with network and cryptography, even more with persistence. It takes a substantial investment in time to understand what’s exactly the malware doing.

The context of Malware reverse engineering basically studies the infection, exploitation, and exfiltration techniques of the software. This of course requires a controlled environment in which you can analyze this … well, hello there Mr. Sandbox!

The software analysis can be done in two modes. The static analysis is a little bit more than disassembling the program. And the dynamic analysis is when the program runs and the behavior is monitored.

A test lab for reverse engineering should go beyond the virtualization environments that we might use for penetration testing, into a more robust sandbox that stops or at least present strong controls for any external interaction by the malware.

A good way to start this is by creating an isolated reverse engineering sandbox system with no internet, and if cannot, try at least that be outside your home network.

With all of this in mind, you can scale up your malware analysis with manual, static, interactive, or fully automatic analysis, each one will provide benefits and target specific evaluation criteria.

Both elements are toe-to-toe if you are curious enough to research malware and how works. Security and Malware evolve daily, and the trend will be more sophisticated malware by the time you are reading this.

Keep yourself updated, and educate yourself to avoid being infected.

Happy hunting :)