Seems like a reasonable thing to do on a sandbox specifically set up for the purpose of analyzing malware. It's not helpful to just block all connections, because you want to see what it's trying to connect to and what it's trying to send there. You don't know what it's going to try to connect to, so you can't redirect only specific things. Letting it connect to the actual internet is obviously just crazy. Redirecting everything to an internal honeypot sounds pretty reasonable.

Maybe I'm wrong, but I would guess that sandbox evasion techniques aren't intended to stop one-off reverse engineering, but rather to get around the bulk programmatic analysis that Google or FireEye does. Those require an internet connection or a replaying proxy because a lot of modern malware comes as a minimal package that downloads its payload from the web.

I would hope sandbox environments aren't connected to the internet, spreading malware to others while your doing your research.

A responsible researcher would have a fully isolated, both from the corp net, and the internet. Then will slowly being to allow connections out as they can confirm that's not how it's spreading...

Many sandbox environments resolve whatever they're queried for with the same IP address. This is addressed in the article.

How many ISPs spoof failed DNS queries so they can feed you ads? That alone would make this useless as an evasion technique.

It means the malware would not execute for users on those ISPs because they false-positive for being a sandbox; that doesn't make it useless unless every ISP is doing that.

OTOH it means that laptops won't activate until they are on a work network, for an SMB worm that's probably not a bad strategy.

Clearly not that many considering how well it did manage to spread.