Sandbox Awareness

January 27, 2009

Hi there,

In the last period, malware evolved to new Detection Ways, like Sandbox Awareness, if a malware is executed into one of the most famous Sandboxes it block execution.

Here a little piece of code taken fro a malware and readapted:

Public Function IsInSandbox() As Boolean
Dim hKey As Long, hOpen As Long, hQuery As Long, hSnapShot As Long
Dim me32 As MODULEENTRY32
Dim szBuffer As String * 128

hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId)

me32.dwSize = Len(me32)
Module32First hSnapShot, me32

Do While Module32Next(hSnapShot, me32) <> 0
    If InStr(1, LCase(me32.szModule), “sbiedll.dll”) > 0 Then ‘Sandboxie
       IsInSandbox = True
   ElseIf InStr(1, LCase(me32.szModule), “dbghelp.dll”) > 0 Then ‘ThreatExpert
        IsInSandbox = True
    End If
Loop

CloseHandle (hSnapShot)

If IsInSandbox = False Then
    hOpen = RegOpenKeyEx(HKEY_LOCAL_MACHINE, “Software\Microsoft\Windows\CurrentVersion”, 0, KEY_ALL_ACCESS, hKey)
    If hOpen = 0 Then
        hQuery = RegQueryValueEx(hKey, “ProductId”, 0, REG_SZ, szBuffer, 128)
        If hQuery = 0 Then
            If InStr(1, szBuffer, “76487-337-8429955-22614”) > 0 Then ‘Anubis
               IsInSandbox = True
           ElseIf InStr(1, szBuffer, “76487-644-3177037-23510”) > 0 Then ‘CWSandbox
                IsInSandbox = True
            ElseIf InStr(1, szBuffer, “55274-640-2673064-23950”) > 0 Then ‘JoeBox
               IsInSandbox = True
           End If
       End If
   End If
   RegCloseKey (hKey)
End If
End Function

It detects Sandboxie, ThreatExpert, JoeBox, CWSandBox and Anubis, by checking the Product Id or the presence of usual dll like sbiedll.dll and sbiedll.dll