Kaspersky patented sandbox that adapts to malware behaviour on the fly
August 2019 by Marc Jacob
Kaspersky has received a patent (US10339301) from the United States Patent and Trademark Office for a technology designed to simplify the detection of malicious functionality in a virtual machine. By creating the exact conditions that trigger malware execution, this patented know-how allows researchers to analyse a suspicious file in a single attempt instead of trying it multiple times. When implemented, the technology is predicted to increase the detection rate of sandboxing and automates the work that analysts would otherwise have to do manually.
One of the methods of malicious behaviour of a file is to run it in an isolated virtual machine, also known as a sandbox. This method automates malware analysis, nonetheless, it still requires some manual work to create an appropriate environment in which the malware will reveal its ‘true nature’. Besides, cybercriminals often implement sandbox evasion techniques; to avoid detection, a malicious file may check before execution if it’s in a virtual machine or stay inactive for a long time until the sandbox is no longer operating.
The patent entitled “System and Method of Analysis of Files for Maliciousness in a Virtual Machine” describes a technology which automatically triggers execution of a file, and the appropriate conditions for each one.
These conditions may vary. Malware may not show its malicious behaviour if it targets a specific application - for example, an email client that is missing in sandbox. To deal with this challenge, a researcher needs to look through logs, understand what is missing, add it to virtual machine environment, and run the process again.
Now, when malware tries to access something, whether an application, a directory or a file, the patented system intercepts this attempt. However, it doesn’t wait until the file execution is finished, but pauses the process and creates the required application as well as the content (e.g. browser passwords). After that, the process continues.
The patented technology also can help to overcome an evasion technique when malware ‘sleeps’ for a certain time before executing to avoid detection as it stays inactive for a period longer than sandbox is working. In such cases, patented technology speeds up the time flow inside the virtual machine, so the malicious code is forced to execute sooner. Nonetheless, as all timers and clocks were facilitated inside the sandbox, the malware cannot distinguish this trick.
Detection rules describing how to react to a specific event are not preinstalled or implemented inside the engine, but can be easily updated and added – thus, any new logic doesn’t involve changing the entire engine, but only enriches available malicious behaviour scenarios.
The technology will be used internally to analyse malware and be implemented in solutions with sandboxes.
Kaspersky continues to develop and patent new protection technologies. By the beginning of August 2019, the company has 814 patents in Russia, the US, China and Europe, with 407 more patent applications filed.