When malware authors go to great lengths to avoid behaving maliciously if they detect they’re running in a sandbox, sometimes the best answer for security defenders is to write their own sandbox that can’t easily be detected. There are a lot of sandboxing approaches out there with pros and cons to each. Unit 42 researchers will talk about why they chose to go the bespoke route, and they’ll discuss many of the evasion types they had to cover in that effort as well as strategies that can be used to counter them.
There are many variations on how malware authors specifically detect sandboxes, but the general theme is that they will check the characteristics of the environment to see whether it looks like a targeted host rather than an automated system.
Read more…
Source: Palo Alto Unit 42