Analysis and evasion of malware sandbox detection techniques

OData support
Dr. Buttyán Levente
Department of Networked Systems and Services

Signature-based detection is the most widespread method of defence against malicious software (malware). The aim of this method is to look for unique patterns in the analyzed files, known as signatures that is typical to an already known malware. In many cases, this method is fast and efficient, however, any new or code-changing malware will not be detected as there won’t be a signature match. Another common defence method is the behavioural analysis. The suspicious file is run in a secure, isolated environment, in a so-called sandbox and monitored for its behavior. However, more advanced malware may be able to detect that they are under analysis and they will not perform suspicious operations.

This paper describes, in detail, the detection techniques that are commonly used by malware and provides solutions to evade sandbox detection. The practical application of the solutions is then presented on a traditional sandbox system. Finally, we evaluate the effectiveness of the solutions presented, by successfully fooling malware samples.

These studies can help to further develop sandbox systems, improve their detection efficiency and help the work of malware analysts.


Please sign in to download the files of this thesis.