Easy Python Sandbox Detection , (Mon, Sep 26th)

Python-logo-notext
File:Python-logo-notext.svg

Many malicious Python scripts implement a sandbox detection mechanism, I already wrote diaries about this[1], but it requires some extra code in the script. Because we are lazy (attackers too), why not try to automate this and easily detect the presence of such a security mechanism?

I spotted an interesting script (VT score 3/60) that uses a Python library I met for the first time: “sandboxed”. It has a method to detect the presence of a sandbox easily:

from sandboxed import is_sandboxed
import sys
certainty = is_sandboxed(logging=False)
if int(certainty)>0.5:
    sys.exit()
import zlib,base64,ssl,socket,struct,time
[...]

The library project repository[2] explains the checks performed:

  • Machine specifications
  • File systems
  • Internet access

For sure, it’s not bulletproof, but it could probably spot a lot of sandboxes! Note that this module focuses on Windows sandboxes, I had a look at the code, and there are only references to Windows artifacts:

_FILES = [
        r"C:WINDOWSsystem32driversVBoxMouse.sys",
        r"C:WINDOWSsystem32driversVBoxGuest.sys",
        r"C:WINDOWSsystem32driversVBoxSF.sys",
        r"C:WINDOWSsystem32driversVBoxVideo.sys",
        r"C:WINDOWSsystem32vboxdisp.dll",
        r"C:WINDOWSsystem32vboxhook.dll",
        r"C:WINDOWSsystem32vboxmrxnp.dll",
        r"C:WINDOWSsystem32vboxogl.dll",
        r"C:WINDOWSsystem32vboxoglarrayspu.dll",
        r"C:WINDOWSsystem32vboxoglcrutil.dll",
        r"C:WINDOWSsystem32vboxoglerrorspu.dll",
        r"C:WINDOWSsystem32vboxoglfeedbackspu.dll",
        r"C:WINDOWSsystem32vboxoglpackspu.dll",
        r"C:WINDOWSsystem32vboxoglpassthroughspu.dll",
        r"C:WINDOWSsystem32vboxservice.exe",
        r"C:WINDOWSsystem32vboxtray.exe",
        r"C:WINDOWSsystem32VBoxControl.exe",
        r"C:WINDOWSsystem32driversvmmouse.sys",
        r"C:WINDOWSsystem32driversvmhgfs.sys",
        r"C:WINDOWSsystem32driversvmusbmouse.sys",
        r"C:WINDOWSsystem32driversvmkdb.sys",
        r"C:WINDOWSsystem32driversvmrawdsk.sys",
        r"C:WINDOWSsystem32driversvmmemctl.sys",
        r"C:WINDOWSsystem32driversvm3dmp.sys",
        r"C:WINDOWSsystem32driversvmci.sys",
        r"C:WINDOWSsystem32driversvmsci.sys",
        r"C:WINDOWSsystem32driversvmx_svga.sys"

 ]
 _PROCESSES = [
        "vboxservices.exe",
        "vboxservice.exe",
        "vboxtray.exe",
        "xenservice.exe",
        "VMSrvc.exe",
        "vemusrvc.exe",
        "VMUSrvc.exe",
        "qemu-ga.exe",
        "prl_cc.exe",
        "prl_tools.exe",
        "vmtoolsd.exe",
        "df5serv.exe",
]

[1] https://isc.sans.edu/forums/diary/Sandbox+Evasion+Using+NTP/26534
[2] https://github.com/frederikme/sandboxed

Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Alex Post