Symantec Researchers has discovered 400 malware samples created in 2011 that trick an automated malware analysis system into thinking that it is a clean program.
"If malware can hide itself from automated threat analysis systems, it can blend in with millions of sample files and antivirus applications may not be able to figure out that it is malicious. " Researcher says.
So, malware authors use technique that hide their malicious file from automated malware analysis systems.
The malware detects the sandbox by using different technique including "Checking registry entry", "Checks video and mouse drives", "running special assembler code", "check certain process".
If the malware is able to detect it is sandbox, it will stop running. So Sanbox will think it is clean file.
Some malware waits for few minutes before starting the malicious activity. Sanbox only spend a small amount of time, it can't detect the malicious activity and returns it is clean file.
Malware authors are always researching and testing new ideas in order to fool automated malware analysis systems. So it is hard to detect the malware samples in Sandbox. Researcher have to analyze the malware with behavior analysis or static analysis. But it is impossible to analyze the 400 million malware samples ?!
