Malware broke through Sandboxie

Hi, all. I had malware break through a sandboxed browser the other day. But what happened was that I got a couple of emails from a relative's email address in two email accounts of mine. And usually, my relatives send me email that consists of jokes and information, etc., and vice versa. Well, these two emails that I received from my one relative had links in them, which I thought were jokes or a funny pictures or whatever, therefore, I clicked on each link.

Now for the first link, IE wouldn't open it's browser for that link. Plus, I first tried clicking on that link at the library and the library's computer wouldn't allow that page to be opened either. Oh, and BTW, for those who like to collect and test malware, here is the URL for the first link with the literal dot being replaced by "(dot)"...if I'm allowed to do that here:

-http://rupa.vndv(dot)com/google.php-

Now for the second link, when I clicked on it at home and at the library, it changed or was redirected to a Viagra/Cialis advertisment site. Now this is the one that I believe had the malware in it, although it could have been both links:

-http://ontheflygsm(dot)com/google.php-

But anyway, even after I deleted the Sandboxie session, my computer started to act funny...and it got to the point where I couldn't launch my anti-malware programs or my IE browser....sandboxed or unsandboxed.

However, I did go into Safemode and tried scanning with the various anti-malware programs that I had, but to no avail. Plus, those programs had not been updated.

But anyway, the only other course that I knew to do was to reformat my hard drive and now everything is back to normal.

But if anyone would like to test those URLs(and replace the "(dot)" with a literal dot), feel free to do so and I would appreciate it if you came back and posted in this thread what you found from those URLs. Thanks.

P.S. And BTW, I think that someone hacked my relative's email account and is sending out malware to their contacts, but I haven't talked to this relative yet to ask them about this.

 

I just did the same thing in a windows VM and nothing escaped sandboxie with deny execute enabled and without it enabled. What settings do you use? I definitely got hit with malware scanning the sanbox with Avast showed that but after closing the browser and deleting the contents all is good. I have scanned with F-secure Live CD as well and No infections

 

Please, don't take me wrong, but the proper way, considering the malware isn't VM-aware, would be to take a snapshot of both file system and registry for later comparison, after the infection takes place. Only that way one could actually see what got through.

Anyway, AVG LinkScanner does prevent the exploits from taking place.

The first link seems to come up clean of exploits, including in Wepawet. LinkScanner displays an error when looking it up. It contains links to other malicious/dubious domains, though.

Anyway, RCGuy what were you sandbox settings, if you don't mind sharing?

 

I don't mean to sound ignorant, but I'm really not familar with the deny execute enabled and without it enabled settings. Could you elaborate a little bit more about that.

 

I believe user x942 meant the setting Start/Run Access, where you can define which process(es) are allowed execution in the sandbox.

 

Once again, you'll have to elaborate a litte bit more about that.

 

You know what. I didn't even know they had that.

 

Malware can escape Sandboxie and infect PC even when user has allowed all apps to start inside Sandboxie? Thought it wasnt possible.

 

Okay, I opened up my Sandboxie Control window, but I really don't see the settings that you guys are talking about.

 

Ha! ...score yet another resounding victory for the firewall I'm so confident in my built-in security that I tested the link in the real system. Not surprisingly, the results are very boring

 

If a user does not enter something into either the internet access or start/run access, then the default is that every process can have access. When you hear that a user has locked down or tightened up Sandboxie, this is one way that I know of... by restricting what processes have this access. Also look at the setting below Internet and Start/Run... that would be Drop Rights. It is advisable to select Drop Rights in your sandbox as well.

 

I'm not really sure I understood what you asked. But, are you asking if it's possible that Sandboxie may be bypassed? Sure. It wouldn't be the first time. Who ever wrote the malicious code didn't even have to purposefully code the malware to bypass Sandboxie. It could just be a bug in Sandboxie that happened to be unintentionally exploited.

Quite some time ago, a user at Sandboxie forum mentioned about an application he/she installed inside Sandboxie. The application was able to create a user account in the real system. If my memory isn't failing me, I believe that's what happened.

That thread went unoticed.

Quite some time after, another user came with PoC that was doing the same thing - creating a user account in the real system.

The PoC was purposefully created to exploit a bug in Sandboxie. But, I have my doubts that the application in question was doing it as well.

So, when talking about possibilities, anything can happen, even unintentionally.

 

I tried again on my testing machine and nothing escaped with sandboxie open or locked down. Same test, Detected by avast! when I did an on demand scan (Avast! also blocks it if it is running in real-time), Deleted with sandboxie container and F-Secure Live CD confirms no infection after that.

Is it distributing different malware per visit maybe?

 

You are correct. I just recently stumbled upon that post about User Accounts. It is fixed now apparently.

 

What does it take to get infected by that site using Win7x64 - running as administrator with UAC turned off?

Even with the firewall disabled, allowing the re-direct to happen, no malware seems to spawn, at least nothing detected by MBAM and no complaints from AppLocker either. I'm running as Standard user because that's what I normally do.

 

Nothing happened to me running on x64 I switched to x86 and I got hit with it. Maybe the exploit can't execute on x64 based systems. Also do you have AppLocker configured to block scripts?

 

Yup, i meant that Thanks for info!

 

Okay thank you, that might be it (x64) then. Applocker is configured to block scripts but no warnings from the Task Scheduler scripts block or executable block event tasks materialized, and of course nothing showing in Event Viewer AppLocker logs either.

 

aw I'm too late

first link is down (google caught it as malicious and then it wouldn't load) and the second link is nothing

 

I would be interested to know if there is an autostart method (registry/start directory or service) that gets this thing running on a reboot.

Next, if you look at the sandbox, does it have running processes (the malware) within it? Or is the malware really running in the real system?

In answer to your question, what m00nbl00d is referring to is that for a given sandbox, you can set a list of applications that are allowed to execute within the sandbox. That is what I and many others do. I have many sandboxes, each one usually dedicated to one program, so that when that program is running within its sandbox, only that program may execute. This stops keyloggers and drive-by downloads among other things.

I would be curious to know if the malware actually escaped the sandbox to the real system, or if, since there were no restrictions on what may run within the sandbox, if it is still living (but running) within the sandbox.

Sul.

 

Nothing happened here on a re-boot even after disabling the firewall to allow the redirect, but then again I'm running x64.

 

User RCGuy did mention this:

It appears it got outside.

 

Sure, but he also went on to say:

...so no telling what really did happen. Maybe it was malware-related, maybe not? Maybe a different malware than the one from that link? It's only speculation based on those statements.

 

Well, what really happened is with the gods now.

But, booting in Safe Mode and performing scans with antimalware apps (outdated) means nothing really. They could actually be fully up-to-date. It still would mean nothing.