How can malware break out of a sandbox?

I have been thinking of ways that malware can break out of a sandbox. One way I have thought of is buffer overflow. Malware could use buffer overflow to inject shellcode into the sandboxing program, thereby causing the sandboxing program to make permanent changes to the real system. Malware could also use buffer overflow to inject shellcode into the kernel, thereby giving it higher privileges.

Can anyone else think of other ways malware can break out of a sandbox? Thanks in advance for helping me and others understand how malware can break out of a sandbox.

 

I know one way malware can cause permanent damage with Sandboxie. Like I posted in another thread about the zabypass.exe.

as discussed in the other thread Sandboxie isn't designed to prevent running programs inside the sandbox from interacting and communicating with programs outside of the sandbox. As a result all the malware needs to do is give instructions to a program outside of the sandbox like a web browser and tell it to connect to a hackers server, then more malware would get downloaded to the users computer "OUTSIDE" of the Sandbox.

 

SteveTX says he has created malware that can break out of sandbox using activeX. Unfortunately he is not willing to share publically.

It is an exciting time for malware, not an exciting time for anti-malware.

 

Just how is this malware getting into the sandbox to begin with? Who or what is executing it? If it can't run, it can't do damage so other security software is recommended. I personally like having an AV and HIPS around in case I screw up.

As far as buffer overflows, wouldn't DEP protect against this.

I'm not sure why your worrying so much about this. Keep your programs updated, configure Sandoxie properly, add another security program you like and relax. If you want another layer enable the protection of a light virtualization app like Returnil. If you get bit, big deal. Just restore an image of your system and data. All this can be adjusted to meet your personal habits and your level of comfort for that "warm and fuzzy feeling".

 

I think a lot of people especially on these forums would have activeX on their browsers disabled, I know I do.