Kaspersky has received a patent (US10339301) from the US Patent and Trademark Office for a technology designed to simplify the detection of malicious functionality in a virtual machine. By creating the exact conditions that trigger malware execution, this patented know-how allows researchers to analyse a suspicious file in a single attempt instead of trying it multiple times. When implemented, the technology is predicted to increase the detection rate of sandboxing, and automates the work that analysts would otherwise have to do manually.
One of the methods of malicious behaviour of a file is to run it in an isolated virtual machine, also known as a sandbox. This method automates malware analysis, nonetheless, it still requires some manual work to create an appropriate environment in which the malware will reveal its ‘true nature’. Besides, cybercriminals often implement sandbox evasion techniques; to avoid detection, a malicious file may check before execution if it’s in a virtual machine or stay inactive for a long time until the sandbox is no longer operating.
The patent entitled “System and Method of Analysis of Files for Maliciousness in a Virtual Machine” describes a technology which automatically triggers execution of a file, and the appropriate conditions for each one.
These conditions may vary. Malware may not show its malicious behaviour if it targets a specific application – for example, an email client that is missing in sandbox. To deal with this challenge, a researcher needs to look through logs, understand what is missing, add it to virtual machine environment, and run the process again.
Now, when malware tries to access something, whether an application, a directory or a file, the patented system intercepts this attempt. However, it doesn’t wait until the file execution is finished, but pauses the process and creates the required application as well as the content (e.g. browser passwords). After that, the process continues.
The patented technology also can help to overcome an evasion technique when malware ‘sleeps’ for a certain time before executing to avoid detection as it stays inactive for a period longer than sandbox is working. In such cases, patented technology speeds up the time flow inside the virtual machine, so the malicious code is forced to execute sooner. Nonetheless, as all timers and clocks were facilitated inside the sandbox, the malware cannot distinguish this trick.
Detection rules describing how to react to a specific event are not preinstalled or implemented inside the engine, but can be easily updated and added – thus, any new logic doesn’t involve changing the entire engine, but only enriches available malicious behaviour scenarios.
Vladislav Pintiysky, Emulation Technologies Group Manager at Kaspersky, and one of the technology inventors, comments: “As cybercriminals constantly come up with new evasion techniques, we have to make our technologies more sophisticated to detect malicious behaviour. For example, sleep timers are becoming more widespread now – according to Kaspersky’s malware analysts, almost half of samples overlooked by automatic tools use delays in execution. This patented technology intelligently manages the file flow in sandbox, allowing it to receive everything it needs.”
“As a result, the verdict can be carried out after the first request. Given the high-performance requirement of sandboxes, it will save company resources while increasing the accuracy of malware detection,” – adds Denis Kobychev, Testing Group Manager at Kaspersky, and co-inventor of the technology.
The technology will be used internally to analyse malware and be implemented in solutions with sandboxes.
Kaspersky continues to develop and patent new protection technologies. By the beginning of August 2019, the company has 814 patents in Russia, the US, China and Europe, with 407 more patent applications filed.