Malware (Sneakyware) is the software that gets into your system and causes havoc, unless you detect it and neutralize first.
To detect malware, a common approach has been to place suspicious files in a “sandbox”, which is an isolated space in an IT system.
The idea is that the malware behaviour can then be engaged harmlessly, and the malware then quarantined or eliminated.
However, malware creators being sneaky by nature, new, advanced forms of malware now detect such sandboxes and take evasive action. If you thought sandboxing was the end of your malware worries, the following list of sneakyware tricks should convince you otherwise.
- Stays idle for an extended period. How long will your sandbox detection last? Ten minutes may be all the time a sandbox program will wait, before (mistakenly) assuming all is well. Advanced malware knows how to go to sleep all for a suitably long period, then wake up, all by itself.
- Waits for a user to do something. By waiting for a keystroke or a mouse click, advanced malware avoids detection by many sandbox programs.
- Waits until it is really inside a target system. The malware refrains from any suspicious activity for as long as it detects a sandbox or similar virtual machine environment. Only when it sees it is in a system of interest, will it begin to modify or download code, upload data to its command and control server, or execute other nefarious activities.
- Return-oriented programming. Possibly the champion of sneaky behaviour, the malware effectively gets other programs to run its code by changing return values in the stacks of those programs to alter the code they should run next. This is the equivalent of the malware holding its hands up and saying “It’s not me!”, while getting other (good) programs to do its dirty work. No wonder sandboxes cannot figure it out.
- Use of a rootkit. Also highly sneaky, the rootkit stuffs malware code into the lower levels of an operating system, where sandboxes do not go.
Now you know what could be happening in your IT systems, and that “fair play” is absolutely not part of the process!