Sanjay Katkar, CTO, Quick Heal
Over the past few years, spear phishing attacks via highly targeted messages have been the primary vector of successful data breaches. More than 90% of successful attacks on enterprise networks are the result of spear phishing methods. This has led to the rise of a new breed of security solutions- Sandbox-Based Gateway Appliances. This solution provides advanced malware detection for incoming emails in the form of an easy to use Sandbox appliance. It launches every incoming email attachment in a secure virtual environment to monitor its runtime behavior. In case it detects any malicious activity, a red flag is raised. The results of this technology have been positive so far, and many zero-day Advanced Persistent Threats (APTs) have been detected and blocked by this approach. As a result, several business enterprises are turning to such Advanced Threat Protection Sandbox-Based Gateway Appliances for their network security.
So does the implementation of this security signal the end of APTs and data breaches within enterprises? The early success of such Sandbox-Based appliances can be attributed to the fact that malware variants were never designed with such protection mechanisms in mind in the first place. Instead, these samples were focused towards breaching traditional antivirus and firewall solutions to test and plan their attacks. This enabled them to breach traditional security solutions with zero-day attacks very frequently. But now that more enterprises are using these Advanced Threat Protection Sandbox-Based appliances, new malware variants are being designed with the aim of penetrating this specific protection mechanism.
Sandbox execution, or virtual environment execution, does have its own limitations which are specifically targeted by advanced next-generation malware. A major limitation here is that Sandbox Gateway Solutions can only execute and monitor the executables for limited time duration. They cannot wait endlessly to observe and detect malicious behavior as and when it arises. This key limitation is quite easy to take advantage of and today’s malware samples simply wait for more than 10-15 minutes before they start their malicious activity. In other words, they simply go to sleep and maintain the executable behavior as normal for the initial 10-15 minutes.
Another limitation is that several complex vulnerability exploits are triggered only for particular environments which are hard to recreate in virtual environments. For example, a specific exploit will work only if a particular version of Adobe Reader is used on a particular version of Windows running a specified Service Pack. Such a situation will be hard to emulate in a Sandbox environment. These targeted APTs are expertly designed by conducting a deep and thorough study of the targeted organizations. They are made for situations where in these specific environment scan be recreated at endpoints that are suitable for vulnerability exploits. Such targeted APTs will be extremely hard to detect in simulated or virtual environment executions. Moreover, newer malware variants are also designed to proactively detect if they are being executed in a virtual machine or in an actual machine as well.
At the Quick Heal Threat Research Labs, we have come across a new malware sample that was able to breach this Sandbox protection. It successfully worked its way around this mechanism and reached auser’s inbox without getting detected. Detailed analysis of this sample revealed that it has been designed to infect highly protected networks. It also has several anti-virtual machine and anti-Sandbox tricks implemented within it. This malware was reported on 4th August and it has been named APT1508-04. We believe this discovery signals a new pattern wherein malware authors will devise new methods to invade Sandbox appliances, and then these appliances will release improved versions to combat them. Hence, Sandbox appliances will end up in a similar situation as that of the prevailing endpoint security industry.
We are in the midst of analyzing this APT threat further, and will be releasing a detailed analysis report soon. What this attack has taught us is that even the most advanced Sandbox-Based appliance protection can be breached. As a result, enterprises need to consider and implement multiple layers of protection to safeguard their networks. While the network breaches of the last few years have raised concerns about the effectiveness of endpoint security protection, future breaches are also sure to raise the question - Can Sandbox appliances provide reliable protection against APTs?