Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Expanded Commentary on Destroying Sandboxes

Following the explosion in popularity of the article on Destroying Sandboxes, it seemed that a number of readers were still curious about what it was that was being reported on.

Firstly, to clear up any misconceptions:

S?nnet Beskerming researchers are also aware that these new approaches are the logical derivation of techniques and methods used to target VMWare and other system-wide virtual sessions (as the article described) and may have already been discussed amongst smaller groups.

What prompted the article was the discovery of well-written, clearly explained techniques and source code that explored the sandboxes created by Norman products. Not only were these techniques being discussed and made available in an open manner, but they reflected an almost-complete general approach to attacking sandboxing software.

Also setting this new code apart from previous virtual-machine detection is the addition of routines and investigation of opportunities to reach out from inside the sandbox and potentially control the host system. Given that previous samples were almost exclusively about detecting the virtualised session, this addition is interesting and worth noting.

Finally, as these techniques spread wider and gain more use in new malware samples the job of the antimalware developers and companies becomes that much more difficult, as another section of their own software is turned against the system it is trying to protect.

18 July 2007

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.