Take care when running some file types with "double click"

Okay, since there has been all sorts of discussion about non-executable file types causing infection, I've since got into the habit of running every new file I recover out of my sandboxed applications sandboxed (untrusted). This includes seemingly harmless .txt files, .jpg files etc etc.

I've now tested this technique with Sandboxie, DefenseWall, and GeSWall.

Interestingly, all 3 programs have problems when it comes to opening certain file types.

Let me illustrate with an example:
1. I open my Firefox browser sandboxed (Sandboxie) or untrusted (DefenseWall) or isolated (GeSWall)
2. I download a .jpg file and recover it on to my real system
3. I open the .jpg file (with double click)
4. If Windows Picture and Fax Viewer is my default picture viewer, it will open un-sandboxed or trusted or un-isolated, leaving me vulnerable to attacks.
5. In other words, don't open newly introduced files with "double-click". Use the right-click option and run it sandboxed or untrusted or isolated.

Another example:
1. I open my Firefox browser sandboxed (Sandboxie) or untrusted (DefenseWall) or isolated (GeSWall)
2. I download a .avi file and recover it on to my real system
3. I open the .avi file (with double click)
4. If Windows Media Player is my default video player, it will open un-sandboxed or trusted or un-isolated, leaving me vulnerable to attacks.
5. In other words, don't open newly introduced files with "double-click" etc etc.

I'm sure there are many other examples, and all seem to relate to the built-in Windows programs like Windows Picture and Fax Viewer, and Windows Media Player.

I hope people can follow this. Please feel free to comment on this.

I solve the above problems by either using the right click option as stated above, or simply running a sandboxed windows explorer to open any newly introduced files. Another way to solve these issues are to find 3rd party replacements to run as default, instead of the Windows programs. For example, use another picture viewer to open .jpg files by default. Or use another video player to open .avi files by default. This way, all 3 programs should be able to catch the 3rd party application process and run it sandboxed/untrusted/isolated.

EDIT:
Another way to solve the second example above is to specifically configure Sandboxie/DefenseWall/GeSWall to run your default video player sandboxed or untrusted (DefenseWall runs wmplayer.exe as untrusted by default) or isolated.

[firzen771]

hmm looks like ill be sandboxing my media player and windows picture viewer

[firzen771]

Quote:

Originally Posted by ssj100

You can't force sandbox Windows picture viewer mate. That's why in my edit above, I only mentioned the second example.

WHAT, thats pretty ~Snip~, hope this functionality is added in a future release, and im wondering why this wasnt available from the start...

[PrevxHelp]

You're definitely correct with needing to sandbox the opening of downloaded files. As for the picture viewer, you may want to see if it is possible to sandbox dllhost.exe or rundll32.exe (depending on your OS).

You'll also want to consider sandboxing Adobe Reader/Foxit Reader, Microsoft Office applications, audio/video players, and really any other program which handles complex file types - they almost all have vulnerabilities

[firzen771]

Quote:

Originally Posted by ssj100

I think it's not possible to do it mate. You'd have to like force run explorer.exe to force run Windows Picture and Fax Viewer sandboxed.

It's not just a problem with Sandboxie mate - it affects DefenseWall and GeSWall too - I tested it myself.

Anyway, what's so hard about right clicking any new files and running it sandboxed? Or right clicking Sandboxie icon and running a sandboxed windows explorer?

its not hard, its just with such a common file i wuld probly forget before opening it out of pure habit.

Quote:

Originally Posted by PrevxHelp

You're definitely correct with needing to sandbox the opening of downloaded files. As for the picture viewer, you may want to see if it is possible to sandbox dllhost.exe or rundll32.exe (depending on your OS).

You'll also want to consider sandboxing Adobe Reader/Foxit Reader, Microsoft Office applications, audio/video players, and really any other program which handles complex file types - they almost all have vulnerabilities

i never feel comfortable sandboxing critical system files but ill go with ur advice on the apps, ive already got adobe reader sandboxed but not MS Office or my Video players, althought im not gunna sandbox my itunes since its gunna become a HUGGEE pain in the ass if i do...

[Einsturzende]

and, why not running it *.jpg, *.avi etc. directly from browser ... just pick "open" on file download window from IE or open with... on FF from download window... every player, viewer which is running directly from browser will inherit sandboxed environment from browser or any other sandboxed application which started it ...
things which are unsafe in unsandboxed world are in fact safe and recommended in sandboxed environments...

[PrevxHelp]

Quote:

Originally Posted by ssj100

I'm just covering the 0.000001% chance that malware could infect you from running a non-executable file. If you think the risk of that is too low to even consider protecting against, then I wouldn't blame you haha.

The risk is far, far higher than "0.000001%" but if you keep updated with the newest patches and keep an ear open to new reports, that can greatly lessen the risk.

One note to keep in mind is that these exploits generally download and execute other executable infections which are easier to then sandbox/intercept but you'll need to see how your sandbox behaves with it.

Quote:

Originally Posted by ssj100

Hi mate, yes I've tried force running rundll32.exe sandboxed but it doesn't do anything. It's far more complex than that I think. I think it's because Windows Picture and Fax Viewer is quite integrated into the Windows OS?

Indeed the picture/fax viewer is tightly integrated within Windows Explorer so it isn't as easy to isolate for a direct sandboxing but a better approach would be to disable/unregister previews of image files and other file types and then just open files when wanted in their respective programs within the sandbox.

Or why not enlist the security benefits of Virtualbox or similar virtual machine to isolate all of your files you worry about?

[Franklin]

Quote:

Originally Posted by ssj100

The point I was trying to make is that non-executable malware files that you download would rarely infect you. I've certainly never come across one myself. Has anyone actually come across a non-executable malware file that got you infected unexpectedly?

You could have a look at the pdf exploit below that if opened will or should download it's payload in being a "load.exe".

Sometimes only one payload is delivered to that ip so if you try for second payload download it mightn't come through.

Haven't had the payload auto-execute here as yet and don't know if it can.

Payload:

Quote:

Filename: load.exe
Scan finished. 2 out of 21 scanners reported malware.
Scan taken on: Thu 27 Aug 2009 05:17:44

hxxp://wepawet.cs.ucsb.edu/view.php?hash=68aa4bf2cd610bbaba51ceb5121e8b47&type=js

[kasperking]

huh...this is taking paranoia to its heights.Ssj you are missing the simple pleasure tinged with an element of risk of the virtual world.Click the mouse...turn the pc off and get the 100% security you so desire

Franklin, I tried the url on my Vbox setup but nothing happened download-wise. But on the web page there were two urls at the bottom of page. Trying both of them instantly gave me the option to download them. They will download but not launch, so they seem harmless at least in terms of launching unexpectedly. Of course anyone with common sense would not proceed to download/launch them. I don't use Adobe; rather I use Foxit Reader instead, so I don't know if this helps mitigate the exploit?

[Franklin]

Wepawet is a site you can upload pdf exploits for an detailed report.

You have to go to the original site that downloads the actual pdf exploit.

I also tried to run the load.exe which according to Avira is fake av scan but seems to be sandbox/vm aware and won't fully deploy here in either.

Quote:

Originally Posted by Franklin

Wepawet is a site you can upload pdf exploits for an detailed report.

Okay, I knew there seemed something harmless about it but couldn't put my finger on it

Quote:

You have to go to the original site that downloads the actual pdf exploit.

I also tried to run the load.exe which according to Avira is fake av scan but seems to be sandbox/vm aware and won't fully deploy here in either.

Those two urls at the bottom of the wepawet site certainly seemed to worked, or are they not the correct sites? I also tried to launch one of them within Sandboxie-within Vbox and Sandboxie blocked its Internet access attempt. Load.exe was running in Process Explorer, though, but I did not note anything odd occurring in the Sandbox, so maybe as you say it doesn't like the virtual environment. Interesting stuff all the same.

[Franklin]

Quote:

Originally Posted by wat0114

Those two urls at the bottom of the wepawet site certainly seemed to worked, or are they not the correct sites?

Yes they are the correct site for the payload download but you need the original live pdf exploit site to instigate an autodownload.

Okay, will try tomorrow evening. Thanks!

I did launch the load.exe within Sandboxie after I removed internet restrictions but blocked Vbox with Outpost and the file was generating SYN flags to a specific ip address, which Outpost blocked, as expected. No ACKs or connection established that I could see using Netstat -an.

[virtumonde]

Quote:

Originally Posted by ssj100

Okay, since there has been all sorts of discussion about non-executable file types causing infection, I've since got into the habit of running every new file I recover out of my sandboxed applications sandboxed (untrusted). This includes seemingly harmless .txt files, .jpg files etc etc.

I've now tested this technique with Sandboxie, DefenseWall, and GeSWall.

Interestingly, all 3 programs have problems when it comes to opening certain file types.

Let me illustrate with an example:
1. I open my Firefox browser sandboxed (Sandboxie) or untrusted (DefenseWall) or isolated (GeSWall)
2. I download a .jpg file and recover it on to my real system
3. I open the .jpg file (with double click)
4. If Windows Picture and Fax Viewer is my default picture viewer, it will open un-sandboxed or trusted or un-isolated, leaving me vulnerable to attacks.
5. In other words, don't open newly introduced files with "double-click". Use the right-click option and run it sandboxed or untrusted or isolated.

Another example:
1. I open my Firefox browser sandboxed (Sandboxie) or untrusted (DefenseWall) or isolated (GeSWall)
2. I download a .avi file and recover it on to my real system
3. I open the .avi file (with double click)
4. If Windows Media Player is my default video player, it will open un-sandboxed or trusted or un-isolated, leaving me vulnerable to attacks.
5. In other words, don't open newly introduced files with "double-click" etc etc.

I admit i don't understand.Aren't the.jpg files and .avi files untrusted?Why is important that the default media player or image viewer to be also untrusted?