Hello and welcome to the Tuesday, September 27th, 22nd2 edition of the Sandstone at Storm Center's Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

One of the neat tricks which makes Python such a useful and popular language, is the fact that, well,

there are modules for everything.

Your code is often just a couple lines connecting these modules.

Xavier today looked at a mal-resamble written in Python that took advantage of the

sandboxed module, which provides a simple function.

Is sandboxed?

As with the name implies the function returns true, if the code runs in the sandbox, false

if it's not running in the sandbox.

Now, the way this module works is it has a pretty good list of files that are often

present in particular sandbox technologies.

And then it also checks for about a dozen different process names and sees if they are running,

which also is indicative of the code running in a sandbox. So pretty easy to

extend this also for new sandboxes or as manufacturers, for example, may change the names of

some of these files. Very focused on Windows at this point, but certainly useful for an attacker

who wants to prevent their code

from running in a sandbox in order for it to be analyzed.

Now, of course, there's also the idea of sort of vaccination or inoculation.

It's sometimes called where you create one of these files in order to trick the malware

into believing that it's running in a sandbox

and that way it won't run.

Well, be a little bit careful with this.

...