Event triggered malware: A new challenge to sandboxing

Over the years cyber attacks have turned more sophisticated, directed and lethal. In the recent times attackers have found new means to bypass advanced and sophisticated methods like sandboxing. Sandboxes emulate and analyze behavior and network in an isolated environment. Forensic investigations are performed by combining static analysis with sandbox analysis. The limitation with sandboxing is simulating Human Computer Interaction (HCI) and this is best used by malware writers for advanced threat models. Malware analysis using sandboxing is no longer considered a robust technique. This paper aims to evaluate the effectiveness of sandboxing and evasion techniques used by malwares to evade them. For this analysis we have used Trojan Upclicker which uses HCI for its injection and execution. Malware analysis was performed on sandboxes like Malwr, Anubis and a commercial sandbox based on the parameters like files created or modified, registry changes, running processes, memory mapping, network connections to outside domains, signatures and operating system changes. While Anubis failed to find any irregularity in the malware sample, Malwr was able to diagnose it as a malware. The commercial off the shelf sandbox gave comprehensive detailed results. Through this we conclude that though sandboxing is a better and less complex way of analyzing samples, it still does not assure a pinnacle spot in malware analysis. Nefarious individuals are cognizant of this shortcoming of sandboxes and are smartly developing more evading malwares. Efforts need to be put to make these sandboxes simulate HCI events more efficiently.