Container-based Sandboxes for Malware Analysis: A Compromise Worth Considering

Abstract

Malware analysis relies on monitoring the behavior of a suspected application within a confined, controlled and secure environment. These environments are commonly referred to as "Sandboxes'' and are often virtualized replicas of a regular system. Hypervisor-based sandboxes were among the most commonly used techniques for malware analysis during the last decade; however, these sandboxes do not often provide the required stealth and transparency to deceive the malware in believing that it is being run in a target machine. This is due to the difference between virtualized systems and bare metal ones; differences which are exploited by the malware as detection artifacts. In this paper, we address the aforementioned problem by exploring the use of container-based environments as an alternative to hypervisor-based sandboxes for malware analysis. More precisely, we explore different ways to monitor containerized applications and make these containers act and look as close to real systems as possible. Our experimental results revealed that Docker containers are a promising option for a sandbox. However, this option comes at the cost of new detection artifacts which make containers subject to fingerprinting through different sources that malware can easily find. We explore these sources and try to address them by various means including system-call introspection. Finally, based on our discoveries, we introduce a container detection tool that will give the research community an opportunity to investigate malware analysis through containers in more details.