Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

LIA - Localized Internet Anonymization

Published on: 11.09.2017




Having Internet access when dynamically analyzing malware is a key. Nearly all malware you get today (first stage) are droppers having as the main goal to download second stage malware. Droppers are often heavily obfuscated and contain evasive behavior to detect malware analysis systems.

One of such behavior is doing checks for the public IP, which belongs to the malware analysis system. A dropper can check for the registration of the IP, the geolocation (e.g. country), the registration time, etc:

Infamous AVTracker services: https://web.archive.org/web/20140816001420/http://avtracker.info/
Details for an IP identified by AVTracker

We have seen an increase in the number of samples (targeted and non-targeted) using IP details to detect malware analysis system. Here is an example which uses Maxmind and an extensive list of known security companies (for full details see our blog post Generic VBA Instrumentation for Microsoft Office Documents):





To deal with such evasions, one can obviously use TOR. All traffic from the analysis machine is routed via TOR transparent proxy, which provides a high anonymity level, but the following three issues still need to be solved:

  • Detection, TOR can be detected e.g. via exit node black list
  • Randomness, TOR exit nodes are randomly selected. There is no way to only select exit nodes in the USA, Japan or Denmark.
  • Stability & performance, TOR sometimes is slow and unstable 

To solve those problems, we have created a new feature called "Localized Internet Anonymization". LIA has the following features:

  • Hard to detect
  • Exit nodes can be selected by Country
  • Good stability & high performance

LIA has been integrated into Joe Sandbox Cloud:




Joe Sandbox Cloud customers can choose from various countries:



With LIA cyber security analysts are able to:

  • Analyze targeted malware which uses advanced IP / Geolocation checks/evasions
  • Choose from various countries
  • Profit from a stable & anonymized Internet connection

Interested and like to get a trial for Joe Sandbox Cloud Pro? Register here.