How to stop Zero Day malware with Sandboxing, technically…
What is a Zero Day malware? It’s an unknown malware, virus. It has an MD5 hash that is not known to any traditional Anti-Malware protection.
You can take any unknown variant of the malware and load it to test on www.virustotal.com to get a verdict and validate if it is indeed unknown to a list of traditional signature based solutions. Virus Total maintains and has access via API to run the scan from one unified page.
Here is a library of unknown malware samples: https://github.com/mstfknn/malware-sample-library
You can change the hash of the known variant with https://github.com/ewwink/MD5-Hash-Changer
Now, let’s talk about protection. There are number of open source sand-boxing solutions that based on traditional engines but most malware types such as Emotet and Ryuk alikes have a code to detect if its being sandboxed within VM environment and it won’t detonate.
For that, we used Check Point’s CPU based sandboxing called SandBlast.
Here are some screenshots on how to configure the solution to prevent the unknown malware on HTTPS and SMTP protocol based network traffic:
To clarify sandboxing that Check Point offers is called Threat Emulation.
They also have additional capability to do sanitization, which basically means stripping off the malicious macro code components off of any Office documents by flattening the file and converting it into .pdf document. This is an additional option to configure if you have too many malicious documents coming in.
Threat Extraction is configure within the same area.
This is an example of a sandboxed log file looks like and you can open it further to see the forensics data within that log.
The log shows as Detected because I went ahead and configured it as Detect initially to make sure I am seeing the functionality is actually working and didn’t want to block anything at first. Even at detection it sandboxes the incoming files whether over SMTP or HTTPS/FTP.
Deployment and architecting this sandboxing solution took us 2–3 hours to architect and deploy. Once deployed we instantly started seeing the traffic and able to identify potential malicious traffic. There are some command line options within expert mode. You can go to this sk114806 for further info if you have larger environment to architect and deploy, in our case we only had 500 users and on premise Exchange server.
