I'm looking to create a malware sandbox that helps me observe all system activities like processes, network traffic, and behavior without installing any agents or monitoring tools inside the sandbox itself. The goal is to ensure that the malware doesn't realize it's being monitored. Ideally, this setup should be cloud-based. What tips or strategies can help me achieve effective external monitoring in this scenario?
2 Answers
I previously worked on a similar sandbox for a former employer, and I can tell you, it’s quite challenging. You'll need a modified hypervisor to hide certain flags in various system components. Many sandboxes rely on a driver within the guest OS to collect data, which malware can often detect. We managed to use hypervisor-level introspection, doing things like syscall interception and memory tagging—but it’s not a simple task and would take a lot of expertise and engineering time.
Have you looked into using something like any.run? It seems there are existing solutions out there, so you might not have to build everything from scratch. My guess is that you'd want to set up a virtual machine (VM) and keep an eye on virtual network interfaces. Maybe the VM orchestrator can gather insights about the processes without needing any monitoring tools directly installed? Just make sure to disguise the VM enough, as some malware can detect it. Good luck with your project!
Totally get that! Nested virtualization might help, but isn't it super resource-heavy? Just thinking if there’s another way without going full virtualization.
Are there any open-source projects that come close to what you mentioned? I'll definitely check out Drakvuf. Also, do you have any idea what type of agents any.run might be utilizing?