Detecting Novel Sandbox/VM Evasion Techniques

Description: Showcasing Novel Sandbox/VM Evasion Technique With Firefox & Detection Using Inotify

Novel Sandbox/VM Evasion

This specific sandbox/VM evasion technique is based off the fact that if a machine is in use by an actual Linux user, it’s likely that certain components of Firefox wouldn’t be empty. For example, it’s likely that the user would have some browser extensions installed and that they would have typed & searched things through the Firefox search bar. Essentially, searching for human-like behavior, similar to how this Checkpoint evasion technique ensures that the Google Chrome browser history contains at least 10 URLs here.

Running the tool is simple, just run python3 main.py:

And it will find the profile directory located within ~/.mozilla & parse the addons.json & formhistory.sqlite file in order to gleam any useful information.

The script can be accessed here.

Detection Using Inotify

Since the Python script opens up ~/.mozilla/firefox/<profile>/addons.json & ~/.mozilla/firefox/<profile>/formhistory.sqlite, we can utilize Inotify in order to detect filesystem activity within the ~/.mozilla directory in order to catch this.

If you aren’t familiar with Inotify, then you can read another blog post I wrote about where I go into a bit more depth about its usage & how it can be abused here.

In order to use Inotify to monitor the Mozilla directory recursively for any filesystem open events, you’d run: inotifywait -r -m -e open ~/.mozilla Then after running the Python sandbox/VM evasion script:

As you can see, it catches both addons.json & formhistory.sqlite being opened. Unfortunately, Inotify wouldn’t be useful for any other information besides filesystem events such as opening, closing, or modifying a file.