Abstract
Nowadays a lot of malware are analyzed with virtual machines. The Cuckoo sandbox (Cuckoo DevTeam: Cuckoo sandbox. http://www.cuckoosandbox.org, 2013) offers the possibility to log every actions performed by the malware on the virtual machine. To protect themselves and to evande detection, malware need to detect whether they are in an emulated environment or in a real one. With a few modifications and tricks on Cuckoo and the virtual machine we can try to prevent malware to detect that they are under analyze, or at least make it harder. It is not necessary to apply all the modifications, because it may produce a significant overhead and if malware checks his execution time, it may detect an anomaly and consider that it is running in a virtual machine. The present paper will show how a malware can detect the Cuckoo sandbox and how we can counter that.
References
Cuckoo DevTeam: Cuckoo sandbox (2013). http://www.cuckoosandbox.org
msdn: Getfileattributes function (2013). http://msdn.microsoft.com/en-us/library/windows/desktop/aa364944(v=vs.85).aspx
Ortega, A.: Hardening cuckoo sandbox against vm aware malware (2012). http://labs.alienvault.com/labs/index.php/2012/hardening-cuckoo-sandbox-against-vm-aware-malware/
VirtualBox: Virtualbox manual (2013). http://www.virtualbox.org/manual/
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ferrand, O. How to detect the Cuckoo Sandbox and to Strengthen it?. J Comput Virol Hack Tech 11, 51–58 (2015). https://doi.org/10.1007/s11416-014-0224-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-014-0224-9