Malware that possible ?bypassed SBIE

[aigle]

It,s discussed partly here.

http://www.wilderssecurity.com/showp...0&postcount=29
http://www.wilderssecurity.com/showt...=212092&page=5

For obvious resons I am making a new thread. Here are the snapshots provided by Meriadoc. Thanks for his kindness, permission and the sample etc.

Plese note that it,s still not 100% confirmed that the malware has really bypassed SBIE or it was an isolated phenomenon. So don,t crticize if later proven othersise... SBIE lover espoecialy.

255MB video file download: http://rapidshare.de/files/39916359/malware23.avi.html

[aigle]

I tested CFP Defnce plus and GesWall against it. I mainly tested GW and allowed all popups by CFP, a lot of pop ups really.

GW denied any dll/ file creation in System32 folder. All other files were isolated and tagged untrusted by GW. I deleted these files via GW isolated files explorer and run a full scan of C drive by MBAM. No infected file was detected.

Snapshots are self explanatory I think.

Sample aws run sandboxed but it was able to create a dll, jfiehayd.dll in system32 folder, out of sandbox. Some reg entries escaped the sandbox too and desktop was changed but as I said clearly findings are not confirmed by anotehr person though same findings were obtained twice by same person.

[aigle]

Still more!

[aigle]

GesWall, log is here.

[Franklin]

Quote:

Originally Posted by aigle

Plese note that it,s still not 100% confirmed that the malware has really bypassed SBIE or it was an isolated phenomenon. So don,t crticize if later proven othersise... SBIE lover espoecialy.

Not a 100% sure but it was OK to use "bypassed SBIE" in the title thread, eh?

And then you go on about every other app except Sandboxie.

Not nice aigle!

[Someone]

Quote:

Originally Posted by Franklin

Not a 100% sure but it was OK to use "bypassed SBIE" in the title thread, eh?

And then you go on about every other app except Sandboxie.

Not nice aigle!

Hi

Doesn't the thread title say: Malware that possible ?bypassed SBIE. That seems alright to me.

And anyway, you can just read the thread and Aigle clearly says that it is not certain.

[Franklin]

I'm still shirty about it so gimme a sample of this malware. (please)
install3051.exe

[Bubba]

Undoubtedly a reminder needs to be given periodically for even long time members that Wilders does not allow the trading of malware or the posting of malware links. Discussion is cool folks but let's do keep it within our Terms of Service

[bellgamin]

The topic of this thread does not seem to fit the content of this thread. (If it doesn't fit, you must acquit.)

Maybe I am dense, but I could NOT find the SBIE connection. All I found was tests of various security apps.

Although I appreciate aigle doing these tests, I feel that the topic of this thread SEEMS inapplicable and unnecessarily negative. It is dangerously close to a false alarm (a la chicken little).

[Kees1958]

Agree with Franklin & Bellgamin that the title is arbitrary, interesting read though

[jmonge]

that thing is that wasnt clear enough but you know something that makes me
wake up an smell the coffee and think that nothing is perfect so what i mean bypassed or not we need a second layer at least.whay i said this cause
heard people at sandboxie forum that sandboxie is all they need or run.

[HURST]

@Bellgamin and Kees

The connection with SBIE is that apparently this malware was able to escape sandboxie. But it hasn't been tested again.
Other security software results are shown.
~removed off topic comment....Bubba~ , hopefully I'll be able to test it tonight.

[Bubba]

Not only is comments concerning malware trading via PM off topic to any discussion here at Wilders, the actual act of malware trading or the posting of malware links is against our policy. Let's take the malware trading comments and the actual act to another site Please.

[aigle]

@bellgamin
@Kees

Title of the thread is OK. You need to look at screenshots carefuly in my first post. I did not make this thread for a stunt. I only had no time to write a detailed description. I will try to write it in first post. Or may be somebody will post his findings.

BTW Hurst got this point.

[bellgamin]

Quote:

Originally Posted by aigle

@bellgamin
@Kees

Title of the thread is OK. You need to look at screenshots carefuly in my first post. I did not make this thread for a stunt. I only had no time to write a detailed description. I will try to write it in first post. Or may be somebody will post his findings.

I believe you aigle BUT...

I looked again at the screenshots in post#1 but saw no connection to SBIE. Saw no evidence that malware evaded SBIE.What am I looking for? What am I missing?

[trjam]

yeah, title may be a tad bit confusing, but the facts of Geswall are right on. Sorry folks, but this is one software that wont die away. It can do it all and continues to prove it time and time again. I can use whatever I want, I have bought quite a few, but the bottom line is, the lack of intrusion of my daily web habits along with its great ability to nab malware, make it number 1 in my book. And the paid version is worth every penny, and in the future there,,,,,,,,,ooops, cant go there.

[HURST]

OK
test is done!
I'm glad to say that SBIE has contained it.

LOTS of processes launched inside the sandbox, and lots of activity.
Some error popups (not from sandboxie).

Deleted sandbox, and MBAM scan came out clean.

I will post the screenshots later tonight.

[aigle]

Strangely I am not able to edit my post no.1.

Sample was run sandboxed but it was able to create a dll, jfiehayd.dll in system32 folder, out of sandbox. See first screenshot. Some reg entries escaped the sandbox too and desktop was changed but as I said clearly findings are not confirmed by anotehr person though same findings were obtained twice by same person.

[aigle]

Quote:

Originally Posted by HURST

OK
test is done!
I'm glad to say that SBIE has contained it.

LOTS of processes launched inside the sandbox, and lots of activity.
Some error popups (not from sandboxie).

Deleted files, and MBAM scan came out clean.

I will post the screenshots later tonight.

Thanks for testing. That,s good news. So there is something weired on first test system as it was tested twice with same results.

OK, I will test it also myself later. BTW malware does not seem to have any special ability to bypass a sandbox.

[HURST]

No sign of jfiehayd.dll on system32.
Desktop hasn't changed.

[aigle]

Did u check for jfiehayd.dll inside sandbox before emptying it?

[HURST]

No.
But I'll retest to provide screenshots and will check for that file then.

[HURST]

The only dll inside system32 in the sandbox is qoMEuSJY.dll

[aigle]

Surprisingly also I don,t find any jfiehayd.dll. I will try to run it out of sandbox n see what happens.

[ErikAlbert]

Quote:

Originally Posted by aigle

Surprisingly also I don,t find any jfiehayd.dll. I will try to run it out of sandbox n see what happens.

Maybe the malware renames its components automatically.