Trojan Looks for Sandbox

Tuesday, May 12, 2015 @ 04:05 PM gHale

There is a new version of the Tinba banking malware that has the capability to check out the environment to make sure there is no sandbox.

Malware developers have gotten to the point where they use different analysis tactics to make sure their threat ends up on real machines compared to a sandbox, which security products use to test for malware, said researchers at F-Secure.

Malware Delivers Trojan to Enterprises
Government Attacks via APT
‘Air Gapped’ Systems Targeted
Safe Air Gaps Not Protected

The Tinba (short for Tiny Banker) variant discovered by F-Secure features an evasion technique that relies on checking for mouse movement and the active window the user works on.

To achieve its goals, Tinba relies on two APIs, one for detecting the current mouse position (GetCursorPos) and the other for receiving information about the foreground application window (GetForeGroundWindow).

Since automated sandbox systems run in a single window that does not change its position, the malware makes two calls to the GetForeGroundWindow API to verify the current status. If the returned values are the same, there is a chance it runs in an environment designed for malware analysis and it does not execute the main infection routine.

The calls end up made several seconds apart, in order to mimic a real user and thus avoid raising suspicions.

Tinba starts its activity the moment it detects the foreground window changed and mouse cursor movement identified, the researchers said.

Apart from this technique, the malware also tries to determine if the system is a virtual machine by querying the number of cylinders available for the storage device.

“Basically, this is similar to checking for the disk capacity. Perhaps due to the ease of implementation, it only checks for the number of cylinder on the disk using the ioctl code IOCTL_DISK_GET_DRIVE_GEOMETRY_EX instead of the finding out the physical size of the disk,” F-Secure said in a blog post.

As a word of warning, F-Secure researchers said, “Tinba demonstrates that it can detect a sandbox simply by testing user interaction on a window and by checking for the disk capacity on a machine. When hardening their sandbox technology, other sandbox providers should keep in mind that malware authors are relentless in pursuing new ways to evade detection and thus, should make adjustment accordingly to keep up with them.”

Leave a Reply

You must be logged in to post a comment.