Sandboxie/Identity Stealing Question

I believe that browsing in Sandboxie and deleting the browsing sandbox can prevent malware from getting on my computer. I do this.

Does running a browser in a new Sandbox(ie) DURING a logon to a website protect me from malware designed to steal my login ID and password if that malware is already on my computer (outside the sandbox)? My guess is that it can still steal the information even if I'm in the sandbox. Is that correct?



Edit: Moderator, just realized this is probably in the wrong place. If so, please move.

 

Here is an example.

I recently built a new machine. I had not yet put my full SBIE settings in place, rather used the default box as I worked on getting my system configured the way I like it.

I was looking for new drivers/updates for a product I have. I had my hotmail box open, and was looking for an archived account email. The products forum has been compromised. I could not login. While I had that site open, it was able to (I assume) attach to my hotmail account and send out a spam to all my contacts. (some of you might have recieved one ).

Now, I had not typed my hotmail password into this forum login, so the only way it could have accessed my hotmail would have been through a keylogger or to tamper with the hotmail tab that was open. This was using Chrome, so I will have to assume it was a keylogger, but don't know.

Of course when I noticed this (I was actually online at the time, and noticed it quickly) I shut the browser down, deleted the box, changed my hotmail password and deleted my contacts. To my knowledge only 1 spam went out. But, it is a good example of how using Sandboxie doesn't stop issues such as this at default levels. It only keeps the "bugs" off my real system. But, internet sessions are still open to issues if you don't institute some restrictions within the sandbox.

That is why I "normally" have a different sandbox for each browser, rather than one for all of them. I can lock one browser down and give another more leeway.

HTH.

Sul.

 

As I understand, SBIE protects system from applications under SBIE supervision. I doubt that it protects applications in SBIE from system and apps that run on system. If antivirus has access to apps under SBIE so probably have other applications that run outside of SBIE. I think SBIE can't protect apps from malware running on real system.

 

Yes, that is correct. If a keylogger or banking trojan is already on the computer and running outside of the sandbox then Sandboxie cannot protect you from identity/data theft.

Browser protection utilities such as Trusteer Rapport, Prevx SafeOnline, and Webroot SecureAnywhere's Identity Protection are designed for exactly that purpose. They create a kind of reverse sandbox around the browser session in order to prevent the outside system from seeing inside. Ideally, this kind of utility should also do website verification to ensure the authenticity of any websites visited.

As this is the opposite of what an application sandbox is designed to do, they can't be used at the same time. Sandboxie is great for general web surfing, where the main objective is to prevent what is running inside the sandbox from being able to impact the system outside the sandbox; but for online banking and shopping, IMO the above mentioned utilities provide better protection.

 

Not sure if i got this right, but here goes:-

Extrapolating on tomazyk's and pegr's reasoning, and sully's "different sandboxes" approach, then it seems to me that, once a system is already infected, a sandboxed application may be running compromised (after all, sandboxie does not prevent the malware from executing but only sandboxed it within). In which case, what's there to prevent its payload execution when that infected application is launched, though within its own sandbox and set of rules/restrictions. Here, again i wonder if steve gibson's discussion (http://www.grc.com/sn/sn-174.htm) on the limitations of sandboxie apply.

Do not get me wrong. I use Sandboxie free. It's great program. Hence, i hope to learn from those far more experienced here at Wilders that my reasoning is flawed (thank goodness, then) and if otherwise, what light and effective (here I am in total agreement with Sully) security may be implemented to counter this. Thanks.

 

Sandboxie is great (for what the user asked) if certain conditions are met:

1 - You're absolutely sure your system is clean.
2 - You use separate sandboxes, but NEVER access confidencial/sensitive information when other sandboxes are open.

As others have stated, if the system is already infected, then Sandboxie won't be of any good to you. If the malware wants to get credentials, then Sandboxie won't be the one that will stop it.

If you're running two sandboxes at the same time, one for sensitive tasks, and the other one is compromised, then Sandboxie won't be of any good either. On its own, Sandboxie won't prevent processes in one sandbox from reading processes from another sandbox.

So, whenever you want to access a sensitive service, always do it in a clean sandbox, and make sure this is the only sandbox that is active at that moment. Also, make sure that only the process(es) belonging to the application (web browser) are allowed access to the sandbox, and that only they have Internet access.

 

Main purpose of SBIE is to prevent infection. If system is infected, SBIE won't protect anything against those infections. That's why you need layered security setup (AV, FW, Hips ...).
With good configuration SBIE can prevent your system from getting infected, but in case of infection SBIE is useless regarding that infection.

EDIT: I saw m00nbl00d's post to late He explained it great.

 

aww I did not know about this
I've been doing sensitive tasks on one sandbox while doing something risky on the other box for quite some time.

 

first fault: Sandboxie can NOT prevent malware!
second fault: Sandboxie can NOT prevent stealing data from your computer if web access is not denied.

Sandboxie can only prevent distribution of malware out of the box into the host.

what m00blood wrote is absolutely correct - in some cases it is possible to have
interaction between boxes. there is an example in the sandboxie forum.

your conclusion now?

 

banking trojan can steal your data no matter if you running Sandboxie or not.

If you want to do your Netbanking and never worry about banking trojan, then you need to run Linux, e.g Ubuntu within Virtualbox. Even if your PC was infected with an banking trojan, your Ubuntu session within Virtualbox would not be affected.

 

If your system is compromised,then Sandboxie is no help from something lurking inside.It prevents things from leaking out good or bad.However assuming your system is clean, Sandboxie can be restricted to what can start/run or have internet access.Drop rights,Resource access restriction such as documents,registry - closed key paths.Making things difficult to even run or access,there is not that much to be worried about imo.

Again assuming your system is clean and you visit different sites and then login to sensitive information such as bank etc,then your asking for trouble.Sandboxie contents should always be deleted first and then new browser session before any sensitive info is done.

 

Actually sandboxie can prevent malware if set up properly. If drop my rights is set and only firefox and certain other trusted apps are the only ones to run and have internet privilages, then malware won't be able to run nor access the internet.

 

Exactly.

 

An interesting test would be to have 2 boxes set up, one browser per each box. Set restrictions so that only each browser may run and have network access. Then, open each box side by side, and one browser A log into account(s) etc, and on browser B go to compromised website.

Does cross-sandbox communication really mean anything at that point? It should if the right exploit is there, as when allowing webpage to load via the approved browser, one is likely also allowing scripts etc, which do the dirty work actually. But it would be interesting to see, if a js was trying to read memory or access the other browser in the other box, could it.

Sul.

 

Wow!!

Thank you for all the input. I think this thread will be very useful in the future for those who are trying to decide whether to use Sandboxie.

Based on the input, I will consider (1) making sure my machine is very clean, (2) decide on the most secure browser to use for financial transactions, (3) supplement my protection with the best anti-keylogging software that will work with my present protection, and (4) doing financial transactions outside Sandboxie.

Thanks again for all the information.

 

Spyshelter is one of the best if not the best keylogger protection and it runs great along side sandboxie.

 

Most of what he's said is accurate, but he's talking about beginner-intermediate use of Sandboxie. I agreee that out of the box, Sandboxie is purely designed to prevent infection spreading to the system - but it's so powerful when used as an anti-executable.

Doesn't everyone here use start/run restrictions when needed?

For example, I have 7zip set to run in it's own Sandbox. It has direct access to my downloads folder (and a few other set folders), but the sandbox is forbidden from executing any code or accessing the internet. This means I can unzip files when needed in specific folders, without the risk of a 7zip exploit being successful in executing remote code. Just to be on the safe side, I block access to many folders.

In my browsing box, like Steve it also has related applications like PDF and email for usability - but with start/run restrictions in place there's very little risk. If I merely had internet restrictions, then nothing would prevent a trojan from injecting itself into the browser process and uploading data.

 

When I use firefox I run it like a anti-ex. The only thing I have being able to run are key firefox processes and adobe reader. Also the only thing able to make internet access are firefox. I don't even let abode have internet. Yeah it stinks that I get error messages when it starts but not a big thing. This assures me that nothing will be running other than the processes I have listed.

Like others have said before sandboxie is only limited to your imagination. You can make it as light or heavy as you need.
It's too bad that there aren't some preset configurations that you can get and implement on your own system. Of course everyone's system is different so I understand that wouldn't work.

 

Thanks RJK3 & kjdemuth. I do have a question, however. Opened pdf file in FF (noscript), Kerio Personal FW 2.1.5 popped up (similar image to that posted by Rmus at post #10 @ wilderssecurity.com/showthread.php?t=308323) followed a second later by SBIE 2222 message regarding AdobeARM.exe (default box). I take it that this error is due to using SB free (even though with start/run access for Adobe Reader X but no internet access). Question is, if it were SB paid instead of free version, with separate sandbox for Reader firewalled by XP, would the pdf exploit be able to execute its payload, taking into account m00nbl00d's post on cross-sandbox contamination? To my mind, the exploit would work if SB's default settings are used, for paid version that is. Thanks.

 

I have two browsers sandboxed. iexplore 8.0 and firefox 7.01. For iexplorer I have auto delete enabled (eraser-5), same for FF. Restrictions, iexplorer has internet excess and also start/run access, nothing else. Have exactly the same for FF in it's own sandbox. Drop my rights are enabled for both. In Applications, iexplorer has no direct access to anything. Same goes for FF except direct access to FF phishing data base. Also keyscrambler is allowed to run for both. My question is which of the above sandboxed browsers would be best or more secure for "on line banking".

 

If you open a PDF while browsing using a sandboxed Firefox, the PDF will open sandboxed in your browsing sandbox even if you have a separate sandbox for your PDF reader. It does not matter whether you are using the free or paid version, the PDF exploit wont escape the sandbox and infect your PC. Its better to use a restricted sandbox but even on a sandbox with default settings, the exploit wont do nothing to your system as it is contained within the sandbox.

What moonblod is talking about is that if you get a keylogger while browsing, this KL will be able to read your info when you open another sandbox, until you delete the sandboxes. Thats why its better to use a very restricted sandbox when doing something sensitive and only have one sandbox open at that time. The restrictions will keep any new KL from starting or running. Using Firefox on a restricted sandbox, with respect to KL, our main concern should be using and installing bad/infected addons.

http://www.sandboxie.com/index.php?SBIE2222
SBIE 2222 is a message that you ll get on either version, making it easier to add a program to Start/Run Access Restrictions in a sandbox.

Bo

 

First, you are saying you ran FF sandboxed? Then using the PDF plugin, knowingly loaded a malicious PDF that attempted to connect to a dodgy .ru address?

The exploit 'ran' because it was through the browser plugin of Firefox, as presumably you've appropriately allowed plugin-container.exe.

The Firewall caught the exploit trying to phone home, and prevented the download. Sandboxie (with start/run restrictions) would prevent the payload from executing, and you'd just have an inactive file sitting in sandboxed local/temp folder.

You'd get something like this:


SBIE2222 is for allowing programs that haven't been added to the start/run allow list:
http://www.sandboxie.com/index.php?SBIE2222

I'm not sure why AdobeARM.exe would run, as it's the update manager.

 

Either. Main thing is to have a clean system, secure your router, and don't access internet banking wirelessly (or at the very least on an untrusted wireless connection). Sandboxie does little to protect the browsing session itself on an infected system - the sandbox is to prevent the spread of malware from the sandbox to the outside, not the other way around.

If you wanted something that does, use Bufferzone Pro.

 

Thanks bo elam and RJK3 for your explanation and assurance.
@ RJK3 -- Yes, I got something like the image but I did not knowingly loaded a malicious pdf. That file, downloaded from a locally well-known public university website, was a post-grad program guide. The incident occurred upon download completion. I don't think my computer is infected (HMP and MBAM on-demand scans, before and after the incident, indicated no threats found, ).

 

Perhaps it was just Adobe wanting to update? It's been a long time since I've used it, so I'm not completely sure how it behaves - but other PDF readers like to update when loaded.

You could send the suspected PDF to Virustotal for scanning, also send it to something like Anubis (http://anubis.iseclab.org/) to see how it behaves.