Icesword cuts through Sandboxie like butter

[TNT]

The powerful Icesword anti-rootkit tool has apparently very little problem breaking out of Sandboxie 2.11 (latest release, 19 October 2005).

Executing Icesword in a "sandboxed" environment leads to worrying results.

This is the picture of Icesword being executed with "File - > Run program" in Sandboxie; notice that, though working, it doesn't show in Sandboxie's process list.

http://img306.imageshack.us/img306/7107/immagine1kh.gif


Now let's do the following: from the sandboxed Icesword, let's terminate Sandboxie itself:

http://img52.imageshack.us/img52/6751/immagine26vo.gif


A few error alerts will show up: not too worring, though, as Icesword will happily continue to work. Sandboxie's Control.exe, on the other hand, is terminated with extreme prejudice.

http://img84.imageshack.us/img84/5273/immagine36xf.gif


Now let's save a log of the running processes from Icesword itself. Remember, the program wouldn't be able to access outside its sandbox if it were still under the control of Sandboxie:

http://img173.imageshack.us/img173/5...magine42zk.gif


Here's the "tested.log" file on the desktop. Clearly Icesword was able to reach outside the sandbox:

http://img152.imageshack.us/img152/4...magine55dh.gif


In other words, Sandboxie fails to stop rootkit-like programs from spreading outside the box.

Tested on Windows XP SP2. Note that this test didn't succeed every single time: in one occasion on the same computer, Sandboxie failed to launch Icesword in a sandboxed environment, complaining about failing to install Icesword's kernel module. Note that the Sandboxie kernel module was installed and running in all occasions.

[nicM]

BufferZone is the winner (edit: *against IceSword*) , here ; IceSword can't even run inside the buffer zone!!! , it does stop dead rootkit-like programs, and then looks like a safe place...

(IceSword disapears from BufferZone GUI right when you click on IceSword initialization failure box)

[FastGame]

I ran test but more in line with using Sandboxie through the internet, I got the same results http://sandboxie.com/phpbb/viewtopic.php?t=110

I don't know what extent the results mean, could be virtual results.....if so I want to know how the test log got on my desktop and stayed there after I cleared the sandbox

[MikeNash]

Quote:

Originally Posted by TNT

In other words, Sandboxie fails to stop rootkit-like programs from spreading outside the box.

Tested on Windows XP SP2. Note that this test didn't succeed every single time: in one occasion on the same computer, Sandboxie failed to launch Icesword in a sandboxed environment, complaining about failing to install Icesword's kernel module. Note that the Sandboxie kernel module was installed and running in all occasions.

If you let something get Kernel level access, it can pretty much do anything it likes. It's probably why NicM's test of bufferzone passed - because the error suggests that the driver was not loaded. (With the disclaimer - I've seen neither Sandboxie or Bufferzone - so I could be wrong)


Mike

[Franklin]

[quote=TNT]The powerful Icesword anti-rootkit tool has apparently very little problem breaking out of Sandboxie 2.11 (latest release, 19 October 2005).

Executing Icesword in a "sandboxed" environment leads to worrying results./QUOTE]

Icesword is a powerful program but it isn't malaware or virii.Also you instigated the shutdown of Sandboxie.I can also shutdown ZAP and my resident AV,Attack Shield and Snoopfree with Icesword if I instigate,with no warnings given.

The author has stated that he doesn't know if sandboxie can stop all keyloggers or rootkits as he,being a one man show can only test so much.But Sandboxie will stop most Malaware that Adaware SE,Spybot and the like need signatures to find.

[Ilya Rabinovich]

As I was already mentioned, Sandboxie has very low protection level. You should use another sandbox protection (DefenseWall, BufferZone).

[hollywoodpc]

I am happy to see someone found what I learned a while back . I read all the great things about Sandboxie . For me , it is useless . It is , INDEED , weak . A shame more p[eople do not see this . But , if you feel protected by that , or any other app , feel free . I only use things that offer strong protection . This is why I tested it and moved on very quickly . It may have a place somewhere but , not as a protective device .
By the way . BZ is excellent . Those guys really care about what people think about their software . that is a nice touch .

[tzuk]

Hello, I'm the author of Sandboxie. Thanks for the tip, TNT -- this IceSword is doing interesting things! I will look into it.

Sandboxie failed to launch Icesword in a sandboxed environment, complaining about failing to install Icesword's kernel module.

This is not a failure of Sandboxie, it is a failure of IceSword. It means that Icesword has been successfully sandboxed on this occasion. The issue for the programmer is why Icesword sometimes slips out the box. I expect the author will look at the problem and there will be a fix. Jeez haven't you guys ever heard of a 'work in progress' ?. But congratulations, even as we post dozens of people will be uninstalling Sandboxie and installing BufferZone (which is also beta and has troubles of its own).

[TNT]

Quote:

Originally Posted by Sandboxie User

Sandboxie failed to launch Icesword in a sandboxed environment, complaining about failing to install Icesword's kernel module.

This is not a failure of Sandboxie, it is a failure of IceSword. It means that Icesword has been successfully sandboxed on this occasion.

And I am perfectly aware of that, thanks. In fact, THIS should be the regular behavior, not the one exception that happens once in a while. Even if Icesword happened to fail 100 times and be successful in breaking out one time, it would certainly be a problem in Sandboxie; as it is (it gets executed and successfully breaks out most of the time), it is a BIG problem in Sandboxie.

I am not bashing Sandboxie or anything like that, I am just pointing out what's very clearly a security flaw in it, hoping that it's going to be fixed soon; both for users and for the reputation of this product itself.

[Franklin]

Glad your here Tzuk.Seems your good and free prog is ruffling a few feathers in this forum.
Keep up the good work.No reboots and now some are calling it nagware.For a freebie,it definately out does signature based scanners.

[Franklin]

Quote:

Originally Posted by Ilya Rabinovich

As I was already mentioned, Sandboxie has very low protection level. You should use another sandbox protection (DefenseWall, BufferZone).

Are you the author of another security program where it needs a reboot everytime?
Have you run Icesword through your program and what,if any results.

[Painkiller]

Did somebody checked the Icesword on any other HIDP or Virtualziaztion software ...
I will probably add this test to my Review i do on my blog ... currently i will review AntiHook 2.5 and Also BufferZone Home ... so i wil also check it with Icesword ...

[Franklin]

Quote:

Originally Posted by Painkiller

Did somebody checked the Icesword on any other HIDP or Virtualziaztion software ...
I will probably add this test to my Review i do on my blog ... currently i will review AntiHook 2.5 and Also BufferZone Home ... so i wil also check it with Icesword ...

Thanks,should be interesting.

[nicM]

Quote:

Originally Posted by Sandboxie User

Jeez haven't you guys ever heard of a 'work in progress' ?. But congratulations, even as we post dozens of people will be uninstalling Sandboxie and installing BufferZone (which is also beta and has troubles of its own).

My intention wasn't to bash Sandboxie, of course (sorry if some people did feel it that way), and this issue must just be related with the driver protection level offered by Sandboxie: as said Mike Nash, once an application can reach the kernel level, you can't stop it from doing its tricks. See http://www.wilderssecurity.com/showthread.php?t=104320
, everything is turning round the ability to prevent IceSword's driver install: you block it, IceSword can't run; you don't block it, then IceSword can bypass any protection you could ever use in front of it.

The fact that Sandboxie doesn't prevent it isn't a flaw, just a feature (hopefully all nasties don't have the "power" that IceSword can gain on a system); and tzuk's reply does maybe suggest that something could happen about that


The ONLY conclusion to draw from that, for me, is that IceSword, with its rootkit-like behaviour, is a very useful tool for testing purposes.

[Ilya Rabinovich]

Quote:

Originally Posted by Franklin

Are you the author of another security program where it needs a reboot everytime?
Have you run Icesword through your program and what,if any results.

Icesword couldn't install their driver. And failed.

So if IceSword just needs to load a driver, and SandBoxIE can't stop this, couldn't you just use a program along with SandboxIE that could block the loading of drivers like Prevx free for example? That should stop IceSword from loading then.

Or run as a limited user account?

[tzuk]

Thanks Franklin, it's nice to be appreciated

A little clarification: Sandboxie aims to block kernel-mode code from loading. This can be seen when running some peaceful Sysinternals tools that load drivers, for example. They will not function well within the sandbox. The IceSword must be using another avenue for getting into kernel-mode, but almost certainly that avenue can be blocked just the same.

I thank you all for your interest

"I am not bashing Sandboxie or anything like that, I am just pointing out what's very clearly a security flaw in it, hoping that it's going to be fixed soon; both for users and for the reputation of this product itself."

I picked out a quote from your thread but I didn't mean to suggest you were 'bashing' Sandboxie. I think it was Karl Popper who said "if you criticize an argument you make it stronger". Similarly, by discovering this exploit hopefully you have helped to make Sandboxie stronger. So, thanks.

[nicM]

Quote:

I am not bashing Sandboxie or anything like that, I am just pointing out what's very clearly a security flaw in it, hoping that it's going to be fixed soon; both for users and for the reputation of this product itself.

SandboxieUser, I just precise this quote wasn't for me , as your reply does look like it's dealing with mine (along with TNT's one).

Everyone who has donated time to testing this app deserves thanks from all who use it. For latest developments see http://sandboxie.com/phpbb/viewtopic.php?t=110

[Rivalen]

Runs very smoothly on my PC.

I am not computer-savvy enough to analyze a test with IceSword, but maybe some of you could download DW and take it for a spin around the block with IceSword and see what happens.

Search this forum for DefenseWall and the link in Ilyas first post will lead to the latest version of the program.

As Untrusted I only run Outlook, IE WMP and the default other untrusted apps - many of them I dont know what they are for - but probably Internet communication related. Other security apps are in trusted.

RegTest failed 100% - could not do anything to change anything when run from untrusted/the box - that test I could understand the result - and my DW performed as exspected.

Best Regards

[Rasheed187]

I have a question about this whole issue, I´ve noticed that if I try to run IceSword sandboxed, I will still get notified by ZA Pro that IceSword is trying to load a driver. But ZA will not notify me when other sandboxed apps want to load a driver. So what´s up with this, can´t SBIE prevent IS from loading the driver or what?

And btw, at the moment I´ve denied IS from installing the driver because i´ve read in another thread that this tool caused a lot of trouble for some people. Too bad becuase it looks like a cool tool, and it´s also not flagged as malware by none of the scanners. But can it perhaps cause conflicts with ZA Pro and PG Free?

[khazars]

Has anyone got a working download for this as every time I download this programme I get an error that the file is corrupt!