Easy Python Sandbox Detection
Many malicious Python scripts implement a sandbox detection mechanism, I already wrote diaries about this[1], but it requires some extra code in the script. Because we are lazy (attackers too), why not try to automate this and easily detect the presence of such a security mechanism?
I spotted an interesting script (VT score 3/60) that uses a Python library I met for the first time: "sandboxed". It has a method to detect the presence of a sandbox easily:
from sandboxed import is_sandboxed
import sys
certainty = is_sandboxed(logging=False)
if int(certainty)>0.5:
sys.exit()
import zlib,base64,ssl,socket,struct,time
[...]
The library project repository[2] explains the checks performed:
- Machine specifications
- File systems
- Internet access
For sure, it's not bulletproof, but it could probably spot a lot of sandboxes! Note that this module focuses on Windows sandboxes, I had a look at the code, and there are only references to Windows artifacts:
_FILES = [ r"C:\WINDOWS\system32\drivers\VBoxMouse.sys", r"C:\WINDOWS\system32\drivers\VBoxGuest.sys", r"C:\WINDOWS\system32\drivers\VBoxSF.sys", r"C:\WINDOWS\system32\drivers\VBoxVideo.sys", r"C:\WINDOWS\system32\vboxdisp.dll", r"C:\WINDOWS\system32\vboxhook.dll", r"C:\WINDOWS\system32\vboxmrxnp.dll", r"C:\WINDOWS\system32\vboxogl.dll", r"C:\WINDOWS\system32\vboxoglarrayspu.dll", r"C:\WINDOWS\system32\vboxoglcrutil.dll", r"C:\WINDOWS\system32\vboxoglerrorspu.dll", r"C:\WINDOWS\system32\vboxoglfeedbackspu.dll", r"C:\WINDOWS\system32\vboxoglpackspu.dll", r"C:\WINDOWS\system32\vboxoglpassthroughspu.dll", r"C:\WINDOWS\system32\vboxservice.exe", r"C:\WINDOWS\system32\vboxtray.exe", r"C:\WINDOWS\system32\VBoxControl.exe", r"C:\WINDOWS\system32\drivers\vmmouse.sys", r"C:\WINDOWS\system32\drivers\vmhgfs.sys", r"C:\WINDOWS\system32\drivers\vmusbmouse.sys", r"C:\WINDOWS\system32\drivers\vmkdb.sys", r"C:\WINDOWS\system32\drivers\vmrawdsk.sys", r"C:\WINDOWS\system32\drivers\vmmemctl.sys", r"C:\WINDOWS\system32\drivers\vm3dmp.sys", r"C:\WINDOWS\system32\drivers\vmci.sys", r"C:\WINDOWS\system32\drivers\vmsci.sys", r"C:\WINDOWS\system32\drivers\vmx_svga.sys" ] _PROCESSES = [ "vboxservices.exe", "vboxservice.exe", "vboxtray.exe", "xenservice.exe", "VMSrvc.exe", "vemusrvc.exe", "VMUSrvc.exe", "qemu-ga.exe", "prl_cc.exe", "prl_tools.exe", "vmtoolsd.exe", "df5serv.exe", ]
[1] https://isc.sans.edu/forums/diary/Sandbox+Evasion+Using+NTP/26534
[2] https://github.com/frederikme/sandboxed
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments