The Sandbox
Understanding CyberForensics

Understanding The Sandbox Concept of Malware Identification

We need to get some definitions out of the way so we all know what we are talking about.

A “sandbox”, as it relates to computer security, is a designated, separate and restricted environment (or “container”, with tight control and permissions, where computer code can run without the ability to cause damage or infection. Just like in a real playground where children can play in the sandbox — but are not allowed to play anywhere outside of the sand box. And the box around the “sand box” is designed to keep the sand in and not make a mess all around. At that moment, the sandbox is their “virtual world”.

“Virtualization” provides a separate environment within a computer that can function independently from all other environments on the computer. One virtual container cannot change or modify another virtual container.

A “sandbox” and a “virtual machine” are not the same. When you run an application in a sandbox, it has access to run as if it were not in a sandbox. Anything the application attempts to create or change, however, is lost (or NOT saved) when the application stops running.

In a “virtual machine”, anything created or changed by the application is allowed, and everything that happens stay within the virtual machine. Similar to the “Las Vegas” theory; “What happens in Las Vegas stays in Las Vegas”.   Once testing is completed, the virtual machine in use can be deleted without concern for anything that was done to it by the running of the questionable application.

As it relates to computer security, a “honeypot” is typically a computer, network or a data system that appears to be part of a larger system, but is actually a controlled, standalone “bait” vehicle, designed to attract those wanting to infect and abuse. If you watch US television, you will most likely be familiar with the police action show “Bait Car”. The difference being that the criminals get caught immediately in the tv show. Real life “honeypots” don’t necessary lead to that same outcome.

There are different types of “honey pots”. For years, anti-spam companies “baited” forums, and web sites, and Usenet, and every source they could find, with email addresses in order to received spam. The spam received researched to identify where the spam comes from as well as other general patterns. The type of honeypot we utilize in this discussion applies to the collection, research, identification and analysis of “MalWare”.

Virus prevention software can’t act on infections until it is taught about specific threats and Malware.

“Malware” is a shortened form of “malicious software”. Malicious software is used to gain control of your computer, allowing the malware creator to do whatever he wants. The ultimate goal of gaining control is to disrupt the normal operations of the target; obtain sensitive or secret information; or gain access to private computer networks and system for other purposes. Malware includes Trojans, viruses, ransom ware, spy ware, and yes, adware!

In order for “malware” to be caught, classified, added to virus protection software, etc., it has to be “caught”. So the web is full of “spider webs for malware”, or “honeypots”! Honeypot creation can be as simple as placing an old computer (or server that is too old or too slow for any valid purpose), install honeypot software, and connect it to the network. (Honeypot software is available as an open source product by the way). It won’t take long before your system sees malicious activity, as hackers begin scanning for weaknesses, and attempting to break in.

In a test this year, a security blogger leased server space in various countries and created honeypots. Within five minutes of being active, some of the machines had already been “hit” or scanned more than nineteen times! These were unknown machines, without any public awareness of their name, location, or status. The number of hacking attempts increased exponentially over the next few days!

Once hackers gain access to our system, they spend time looking around, searching for anything they can find. Since these systems are honeypots, they won’t find anything. The next step is for the hacker to upload his malware to our system. At this point, the hacker will attempt to run his malware, but our system ignores him, and eventually he moves on or uploads other malware. Either way we have now harvested copies of malware being used in real-life.

Honeypots are equipped with a “sandbox” in order to contain and prevent the code or malware from wreaking havoc. Sandboxes are also used to analyze and learn about the specific malware threat.

From a press release dated November 19, 2013, “Threat Track” (which is the new name for “CWSandbox”), bills itself as the complete “malware analysis solution”. To maintain congruity, we will continue to refer to “Threat Track” and “CWSandbox” simply as the “sandbox”.

The main job of the sandbox is to enable “users to automate the sample submission process; completely analyze any threat; and quickly act to protect sensitive data”. Once the sandbox gets the malware, it is able to analyze and evaluate the actions and processes of the malicious software. This allows system administrators to evaluate the potential exposure of their networks and take the appropriate action to secure against the latest threats.

Although malware authors are trying to stay ahead of sandbox technology, sandbox has managed to implement new features and controls that mimic the actions required by the malware. For example, some malware “stalls” or as kids like to say, “plays possum”, waiting for a period of time to pass or a particular action to occur – such as a system reboot. As part of the analysis, sandbox mimics a system reboot and then looks to see how the malware responds to the fake reboot.

Need more proof? The Federal Bureau of Investigation (FBI) bid on the public market looking to use sandbox on “any machine owned or controlled by the FBI”.  The knew the value of the software.

One final comment about why we need sandbox.

“Automated malware must be analyzed (1) automatically, (2) effectively, and (3) correctly. … This is important to realistically assess the threat posed by the malware sample.”

For more information, go to





Read the rest of this entry »