Most sandboxing solutions rely on an agent component installed inside the virtual environment. Nowadays, malware actively try to detect sandbox softwares, and these agents are easy targets. Evasion technique like hook detection or driver listing have been used for several years against well-known sandbox softwares.
The P2A sandbox is a third generation sandbox featuring a state-of-the-art hypervisor introspection technology. By moving the analysis component outside of the virtual machine, our technology drastically diminishes the surface for sandbox detection attacks. If you add to this an extensive list of anti-anti-VM and anti-anti-analysis tricks implemented by our best analysts, you obtain a sandbox that is both harder to detect and harder to evade than first and second generation sandboxes. It is able to bypass all pafish benchmarks for instance.
More InfoThe first generation sandbox solutions, which include Cuckoo sandbox, are based on the API hooking technology. A sandbox agent, located inside the virtual machine, will inject a piece of code (most of the time a DLL) inside monitored processes running in the VM. The injected code will modify system DLLs in order to intercept and analyze Windows library calls.
While easy to develop, this technology is also the easiest to detect. Detection of first generation hooking can be achieved through the following means:
There are also many way to evade first generation sandboxing:
Second generation sandbox solutions, such as Hybrid Analysis / Vx streams, tried to overcome some of the aforementioned drawbacks while staying relatively easy to maintain. Those newer solutions are based on a custom Windows kernel driver deployed inside the virtual machine, which is in charge of the analysis. While this is theoretically equivalent to the first-generation agent (the driver is inside the VM), it offer two technical advantages over the older solution:
Second generation sandboxes have a smaller attack surface, but can be detected nonetheless by determined attackers:
There are also ways to evade second generation kernel monitoring:
The P2A analyzer is based on the industry-recognized KVM hypervisor. By making heavy use of the VMx CPU extensions for VM introspection, the P2A sandbox is able to run malware at near native speeds. If add the possibility to create large clusters of analysis machines, you obtain a sandboxing solution that is able to handle several hundred thousands of samples per day for a limited hardware investment.
Additionally, the P2A sandbox embeds several counter-measures against the class of malware that actively try to delay their execution in order to evade detection.
All these features combined allows us to deliver high quality reports, showing a lot of the malware potent activity, in a limited amount of time. A typical P2A analysis is done in 1 or 2 minutes, whereas most of our competitors need 3 to 10 minutes per sample in order to show interesting malicious behavior.