AntiSandboxie/VM/KS etc Malware

[StevieO]

Interesting bit of kit going around that, amongst other things, can supposedly bypass Sandboxie, VirtualPC and Keyscrambler ! I wonder how many people might get blasted with this ? Anyway, it pays to be alert.

Quote -

Quote:

Vaqxination toolkit

If you take a closer look at the malware, one thing sure catches attention. At the end you find the strings VaQxiNe-steam=1firefox=1cookies=1sandboxie=1zonealarm=1
wireshark=1anubis=1virtualpc=1keyscrambler=1startup=1usb=1task=1?. This hints that the Vaqxination toolkit got used. The construction kit has some features interesting for cybercriminals:


Further Features of the toolkit according to the advertisement of the Toolkit programmer:
- Vista UAC Bypass
- Run-as-admin Bypass
- Fully stealth
- Legit Windows Process
- Stronger output encryption
- Only 15 US-$ for the Toolkit.

The features seem to work as described, for example the malware is undetectable by the Anubis sandbox system:

http://techblog.avira.com/en/

-

The above link does NOT get you the toolkit, it ONLY describes it !

[cheater87]

So what about HIPS? Can it get past that?

[Rmus]

Hi StevieO,

From the article:

Quote:

On a popular Bittorrent site during the last weekend there appeared a package that allegedly contains Avira AntiVir Premium and a so called keygen. A keygen is a tiny piece of software that calculates a license number for a commercial software, for free.

Now upon starting the assumed keygen, instead of providing the user with a serial number, it infects the system. It drops three files on the hard disk:...

Besides getting infected from downloading pirated software and keygens, are there any other exploits in the wild carrying this "kit?"

thanks,

-rich

[StevieO]

cheater87

I don't know for sure, but probably not, as i guess you should be alerted to various things that would start happening.

Rmus

Hi,

I wasn't actually thinking of stupid people downloding cracks etc, but rather the people who use the Toolkit to TRY and implant the code to TRY and disable the listed software on others PC's.

Sure it's probably going to mean someone clicking on something, and/or having Scripting/ActiveX etc enabled, i realise that. I just thought that some folks might be interested to know that such a Toolkit exists, and that Sandboxie etc COULD be disabled.

Probably won't happen to people on here, but as over 3/4 Million people have Keyscrambler installed, who won't all visit places like this, there's a chance it COULD happen to them.

Of course all the usual precautions you often speak about, would need to be bypassed, but unfortunately that's what happens multiple times every day to thousands of people out there in www.land.

[Windchild]

Quote:

Originally Posted by StevieO

Interesting bit of kit going around that, amongst other things, can supposedly bypass Sandboxie, VirtualPC and Keyscrambler ! I wonder how many people might get blasted with this ? Anyway, it pays to be alert.

This one is actually a fairly boring malware, as usual.

http://techblog.avira.com/2009/09/22...ira-keygen/en/

As for bypassing Sandboxie or VirtualPC, I'm afraid it doesn't. All it does is include the usual anti-virtualization routine: this means the malware tries to detect when it's being executed in a virtual machine or a sandbox, and if it detects it is running in such a virtual environment, it does not do anything malicious, which then makes it seem more legit. Then, when the user takes it out of the sandbox and executes it on the real system with admin rights, now it obviously starts doing all kinds o' evil since it no longer has to pretend to be nice. Actually, the blog article has a nice screenshot of what the malware does in a sandbox: it gives an error and dies. Which, by the way, should be an instant giveaway that this is quite likely malware, just in case it wasn't a big enough giveaway that it was claiming to be a keygen...

There are loads of security measures that would stop this. Firstly, of course, common sense: don't run keygens or any other software from untrusted sources. Beyond common sense, limited user accounts with SRP would stop it, any HIPS product that monitors execution of files would notice and warn about the additional malware executables the supposed keygen drops and executes, and so on and so on. Same old, same old. This is basically a social engineering attack: the malware pretends to be something people want (a keygen) and tries to look innocent (by not doing anything evil in a Sandboxie sandbox or Virtual PC virtual machine) so that people would give it admin privileges.

Don't fall for this stuff. This is primitive. But, it's one of the many signs that people shouldn't trust sandboxes and virtual machines to tell whether a file is bad. Sometimes that works. Sometimes that doesn't work, and the result can be nasty.

[dawgg]

Quote:

Originally Posted by StevieO

Interesting bit of kit going around that, amongst other things, can supposedly bypass Sandboxie, VirtualPC and Keyscrambler ! I wonder how many people might get blasted with this ?

Where does it say it can "supposedly bypass Sandboxie, VirtualPC"? and what does "anti" these things do? Does it bypass it or does it simply break when it detects these programs - like it does in the example with Anubus?


Edit.... yeh Windchild, thought it was like that.

[StevieO]

Windchild

Quite right Sir, it is virtual etc detect after all my appologies. I looked at the screenie and saw the anti sandbox etc list and made the wrong assumption after seeing these also listed which it says it can do.

Vista UAC Bypass
- Run-as-admin Bypass

dawgg

We now know due to the above, Thanx

[Meriadoc]

There are a lot of tools, crypters and toolkits such as this one if you know where to go that advertise FUD (fully undetected,) anti (x) capability, file binding, cloning...

[arran]

Quote:

Originally Posted by cheater87

So what about HIPS? Can it get past that?

no of course not. default deny all other executables from running.

Really the only safe way to obtain keys and cracks for payed software etc.
is if you found a serial number provided on a notepad file where all you need to do is copy and paste the serial number, no risk of infection. 99 percent of ken gen and patches software which you need to run and install contain malware.

[Meriadoc]

More : Popular Malware Kits and Tools

Quote:

There's an ongoing trend among malware authors to either code malware crypters and packers from scratch and sell then at a later stage, or even more interesting, obtain publicly available crypters source code, modify, add extra featured and new encryption routines and make them available for sale. The rise of DIY malware crypters enables literally everyone to fully obfuscate an already detected piece of malware, so that if no extra security measures but only virus signatures scanning are in place, an infection takes place... - Dancho Danchev.

[cheater87]

In Sandboxie you can not allow anything but the browser to run or what ever things you have in the white list. I'm sure that can help against this malware.