Hello, welcome to the Friday, September 4, 2020 edition of the Santernut Storm Center's

Stormcast.

My name is Johannes Ulrich, and the time recording from Jacksonville, Florida.

In today's diary, Xavier is talking about code that he found in Python scripts that are used to detect if the code runs inside a

sandbox or a debugger.

And one pretty neat trick he found was code that actually checks the external time using

an NTP server.

So this is supposed to, for example, detect if the code is being stepped

through at a slower speed, and sometimes sandboxes will actually accelerate execution.

Sandboxes only have a limited amount of time to run a particular code sample, so they often move time forward to, for example,

the tech code that only runs, let's say, after half an hour or an hour, and still only

have to run the code for five minutes.

So what this particular sample does is it just checks the time using an external time server,

then it sleeps five seconds, and then it connects to the same time server again,

checking how much time actually passed.

If more or less time passed, then it knows it ran in an artificial environment,

and of course it will now not run or crash or do whatever else to make the analysts' life

difficult or the sandboxes life difficult. Another trick found in the same script, which actually an older trick and quite common, is to

check how many CPUs are present in a system.

Well, there are no real single-core CPUs anymore other than maybe in virtual machines. And so if only one CPU is present, this usually

means that the process is running in a virtual environment. And yes, Chrome for Android finally gets

on the DNS over HTTP or DOH bandwagon. Now, lots has been written about it,

...