At Black Hat next week, researchers Claudio Guarnieri, Mark Schloesser and Jurriaan Bremer will conduct a session on malware evasion techniques and conduct demonstrations using their open source project, Cuckoo Sandbox, a 2½ year old technology that is a staple with many researchers, as well as enterprises and government agencies. The sandbox can be customized to extract configurations for malware ranging from banking Trojans to botnets or malware used in targeted attacks.

Sandboxes are the equivalent of a clean room where malware can be executed without harming production environments and behaviors can be analyzed. Malware, in turn, wants to go anywhere but a sterile area.

“Consequently what malware tries to achieve is detection of the sandbox environment,” Guarnieri said. “From there, it attempts to interrupt the execution as to not reveal its nature; for example, not show which domains they would contact or which files they would create.”

Numerous samples from different malware families have demonstrated cunning ways to evade detection, for example, refusing to execute if it detects that it’s being opened inside a virtual machine, or whether a remote desktop protocol connection is being used to look at code. Others will sleep for a defined period of time before executing, waiting perhaps to detect mouse movements to ensure that a human is at the wheel, and not some automated code scanner.

File-level sandboxes such as Cuckoo and others can also be configured to eliminate some reverse engineering of malware samples for incident response teams; the technology’s ability to identify the nature and family of the malware in questions, as well as command and control domains and IP addresses related to a particular attack often suffice.