Joe Sandbox enables analysts to execute and analyze malware on Bare Metal machines. What is Bare Metal and why does it matter? No, it is not the cool Bare Metal hot rod above, but it has a similar performance!
Dynamic malware analysis systems (so-called sandboxes) execute malware samples on a segregated machine and capture the runtime of the behavior. Sandbox vendors use different types of analysis machines:
Virtual Machines
Virtual Machines (VMs) are the most common. They run inside VirtualBox, VMware, KVM or Xen - the top four virtualization solutions. VMs typically run on hardware with hardware virtualization. Hardware virtualization helps to run multiple operating systems efficient and secure on the same physical machine. Although a VM can run hardware virtualized it is not equal to Bare Metal.
Qemu (Full System Emulation)
Qemu is machine emulator. The hardware has been fully implemented in software, including the CPU, disk, video card etc.
Bare Metal
Bare Metal is referring to using a physical device for analysis, e.g. a laptop or PC directly purchased from the local hardware store.
Bare Metal is King
So does it matter if a malware is executed on a VM, Qemu or Bare Metal? It does a lot! The "normal" execution environment of malware is always on Bare Metal. Your employee laptop does not run on a VM or Qemu. Malware exploits that fact by checking if it is running on Bare Metal. If it is not running on Bare Metal it simply does not show any malicious behavior. As a result, the sandbox will not detect any malicious activities, plus will wrongly classify the file as clean:
To prove that let us execute tool HWInfo (displays the hardware configuration of the machine) on a KVM VM and Bare Metal machine:
KVM
Full HWInfo report on KVM available here.
Bare Metal
We have summarized some of the outliers below:
As you see there are many differences. The table just lists some outliers for hardware devices. However, malware could also check and compare the performance of the machines, e.g. the GPU.
KVM
Bare Metal
Again there are big differences. Again making the KVM VM equal to Bare Metal is practically not feasible.
Joe Sandbox, no restriction for Bare Metal analysis
Joe Sandbox does not restrict you in analyzing malware on any particular virtualization solution or device. You are free on which machine you analyze:
- Modern Bare Metal Laptop
- Modern Bare Metal PC
- Mac Mini
- Mac Book Pro
- Bare Metal Android Phone (e.g. Motorola 6G)
- iPhone
If you use Bare Metal machines you leave malware no change for any detection. Detections for KVM, VirtualBox, VMware, Xen and Qemu will fail since the malware is executed on a real device. So if you already have a sandbox or are looking to get one, then ask your self: is Bare Metal analysis supported? Is the sandbox based on KVM, VirtualBox, Qemu or Xen?
Golden Image - Golden Hardware
With Joe Sandbox you are not only free to choose the target analysis machine but also the operating system, its configuration and installed applications. Again there is no restriction, you can install any software.
With Joe Sandbox you get the ability to analyze malware on a Golden Image on Golden Hardware!
Interested in Joe Sandbox? Register for free at Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!