« Previous 1 2
Malware analysis in the sandbox
Under the Microscope
WannaCry Kill Switch
The WannaCry developers adapted their detection mechanism for the special way that sandboxes handle Internet access. Many sandboxes provide an Internet emulator to limit and control, but not prevent, the malware's communication capabilities. The Internet emulator then responds to all Internet connection attempts on behalf of the requested servers. This usually happens regardless of whether or not the domain names and IP addresses actually exist.
When WannaCry is run in a sandbox, the functionality to encrypt systems and attack other vulnerable systems suddenly stops working. The shutdown was caused by the sandbox's Internet emulator. WannaCry queries a previously unregistered, cryptically structured domain. On any commercial system, the request causes a connection error because the name cannot be resolved by the DNS.
If this connection error occurs, everything seems to be okay, and the malware begins to infect other systems. However, if a connection is possible, the malware developers suspect that their malicious code is being analyzed, and nothing else happens. The spread of WannaCry in May 2017 was finally stopped by the fact that the English analysis team simply registered the previously unregistered domain. At the time, the analysis team did not even know exactly what would happen [4].
Conclusions
Sandboxes allow the dynamic analysis of malware and the investigation of effects when running in a secure environment. While analysts optimize their sandboxes to remain as hidden as possible from the malware, the dark side also optimizes the corresponding detection mechanisms.
In the case of WannaCry, the detection mechanism blew up in the attacker's face. The malware's own protection function led to a far-reaching shutdown of the malicious functions, thus preventing damage to some companies that were still vulnerable.
This article has provided a little insight into the world of analysis and countermeasure techniques. Finally, and not without a touch of irony, there is no escaping the fact that, as a legitimate user, you are probably safest inside an obvious sandbox. The only problem being that running software in a sandbox will probably not give you the performance you need.
Infos
- IDA: https://www.hex-rays.com/products/ida/
- Cuckoo: https://cuckoosandbox.org
- Shadowserver Foundation: https://www.shadowserver.org/wiki/
- "How to Accidentally Stop a Global Cyber Attack": https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
« Previous 1 2
Buy this article as PDF
(incl. VAT)