5. 5
Sandbox-‐aware
malware
Challenges:
§ Malware
detects
OS
features
§ Detects
virtualiza@on
&
debug
tools
§ Runs
only
when
specific
files/registry
keys
are
found
§ Runs
only
on
32/64
bit,
Windows
7/8/10
or
XP
§ Malware
detects
environment
condi@ons
§ Runs
only
in
specific
Domain
names
§ Runs
only
when
specific
systems
are
found
in
network
§ Detects
proxy
sehngs
§ Time
aware
malware
§ Runs
only
in
specific
@mes
of
the
day/week/month
§ Runs
only
in
specific
intervals
§ Runs
only
in
specific
@me
zones
§ Requires
long
run@me
–
hours,
even
days
§ Geo-‐loca@on
aware
malware
§ Runs
only
in
specific
regions/countries
§ Communica@on
§ Malware
uses
TLS/SSL
to
call
home
§ C&C
server
unavailable
due
to
many
reasons