Attacking Sandboxes

Posted by kdawson on Sunday July 15, 2007 @12:05PM from the just-another-brick-in-the-wall dept.

SkiifGeek writes "Many anti-malware applications use a sandbox as a tool to help identify potentially malicious software. Now knowledge is spreading about techniques and methods that can allow sandboxed software to target the sandbox itself (and by extension the application that applied it). While attacks that specifically target sandboxing applications are probably a little way off, this technology can be considered the logical extension of techniques and procedures to identify the presence of hosted systems (VMWare, Virtual PC, etc.)."

1 of 110 comments (clear)

Min score:

Reason:

Sort:

Old news by Nick_taken · 2007-07-15 12:18 · Score: 4, Informative

Theres a simple detection program called RedPill that probes a simple method to do so, vmware leaves a lot of registry keys on windows, VirtualBox lacks supports for hardware breakpoints, cpu cycles counts is another way to detect virtualization, and some packed malware dont even run on virtual machines because of memory management, software packed with armadillo do not run on vbox and it used to fail on vmware player until they fixed that bug.

"Thwarting Virtual Machine Detection" is a nice paper on virtual machine detection.