A challenge for sandbox /virtualization technology

It seems in the last few weeks, sandbox, virtualization technology has being hyped up by the usual suspects. It has being describes as a "major way forward", a new foundation, a way to eliminate the bad old scanners.

Vikorr is trying Antimalware, Notok is trying Defensewall host, other people are trying sandboxie, greenborder etc.

I'm just curious, how does the following products succueed in sandboxing
snip....Link removed as there are links from that page that are against the Wilders TOS - Bubba

Are these blocked?

 

The first exploit, the DDE-IPC exploit, has been discussed in the Firewalls forum in the "Malicious code could trick ZoneAlarm firewall" thread. Whether "sandboxing" could block applications from connecting out would depend on how you define "sandboxing." That is, what should a sandbox or "virtualization" program be expected to do?

I'm beginning to suspect (after reading comments in the other virtualization thread) that this technology is being expected to do things it wasn't designed to do.

Regarding "Defeating Citi-Bank Virtual Keyboard Protection" in the link you cited - I noticed these comments on the POC download page:

=================
This can be exploited to execute arbitrary HTML or script code in a user's browser session in context of an affected site by tricking the user into visiting a malicious
website or follow a specially crafted link.
---------------
This can be of great aid to the phishers who can entice the user to click on
the above link and get re-directed to some malicious sites where their
critical informations can be stolen.
=================

Similar comment made about the "Indiatimes Shopping Cart XSS (Cross Site Scripting) Attacks"

A little bit of common sense should work here.

-rich
________________
~~Be ALERT!!! ~~

 

*Exactly*. That was the point I was trying to make actually. After all vikorr has claimed that he tested all sorts of PoCs and nothing has got past.....

See also https://www.wilderssecurity.com/showthread.php?t=99742

 

Hiya Pollmaster

Why not try the tests I ran out for yourself. They are easy enough to find <I included the links somewhere, but it may have been over at Castlecops>

I'll have a look at your above link when I wake up. I just finished a shift of nightwork.

As for virtualisation programs, I like SU (as an example because I use it), for it's simplicity. It's easy to understand how it works.

With regards to AM. If I was using it by itself, I would probably like it very much. I do like the program, but not entirely certain if I'll keep it <most because of issues related to SU>

And I saw another post of yours Pollmaster, where you said that sandboxes are being used for much the same purpose as HIPS (or words to that effect). I quite agree. I suppose the difference is, that almost everything seeing as almost everything is contained within the sandbox - it does not need a specific rule (for example) for things like registry protection...all registry changes are written to a virtual registry, which is not read at computer startup.

And yes, installations, once again, are a weak point.

 

I guess you mean softwares, that can't be installed without an internet connection.
In my case, I know only 3 softwares that need an internet connection :
1. Windows Update.
2. MSAS beta1
3. A2 Free.
The rest of all my software can be installed without internet.

 

I mean software installs that require drivers

Other installs a fine, so long as you don't want the program to autostart.

 

Hmm, I don't recall seeing much of that.

 

Pete

That sounds like a better way of testing things than ShadowUser, which is causing problems with AM, because I think, of the virtual registry used by AM, which I can't exclude from SU.

I've been wanting a disk imaging system for a while now (just not prepared to pay the money yet - have to get rid of the credit card debt first- don't like having them).

I had heard that some of them take like 5-8 CD's to capture a computer, but you are saying First Defense ISR can re-install in 5min, and has option of booting in different snapshots of the OS...that sounds flexible. I take it the only thing you can't recover from is a system crash ? <I've heard you can recover from system crashes with other imaging systems>

 

Really? Just a few examples here.

Must I go on? The same old "signatures are bad" <insert whatever new approach is the fancy of the month> is better.

 

Vikorr, if you look at the posts Erikalbert is making he is bashing "definitions" because they list only the bad things which according to him is infinite.

So he prefers sandboxes.

But what I'm trying to show is that sandboxes might also be based on the bad old method of listing bad actions. If it is unknown to the sandbox maker that a certain action can be used to do evil, it will be allowed.

So virtualization tech isn't all that good either, considering the complexity problems of employing them.

 

I dunno, 3 out of the 517,830 posts on this board hardly qualifies as 'hype' to me. Talk about the strengths and weaknesses, sure, but c'mon man.. don't try to wrap internet/forum politics into this, please.

 

Like it or not, this board is built on forum politics. I think if you study the behavior of the board and its personalities you will see some interesting patterns.

From past experience this is how hype happens

1. A few vendors by chance or circumstance produce a certain gimack that until there was not offered to home users but is old hat to enterprise users.

2. Remus/kareldjag will post some official sounding defintion about it, some tests

3. Then the betatester group will move in (Vikorr, Peter, myself, Richrf) etc . Either testing it, or ....Threads covering the same topic start appearing in frequency.

4. People then start talking about how it's a new paradigm, a new foundation to replace antiviruses....

5. Profit!

Sometimes its not a new class of software, but rather some new software that catches the fancy of the beta tester group.

Surely this is starting to sound familar to you Notok.

I just call them as I see them. I don't care if you think this is a troll.

 

http://en.wikipedia.org/wiki/Forum

 

Hi Everyone,

I would appreciate it if we could proceed with some swiftness to step number 5 in the pollmaster plan


Mike

 

Experience tells me that having pollmaster campaign against a certain product, adds 200% to its sales.

 

Sandboxes do not automatically stop exploitation of vulnerabilities, they just have the ability with user input to set tight boundaries on executable behaviour. But it's because of these set boundaries that execution of program code by exploitation of a vulnerability can be made to fail, or the damage largely mitigated.
I also posted a reply on the issue of sandboxes here:
https://www.wilderssecurity.com/showpost.php?p=574527&postcount=9

 

I'm taking this challenge with anti malware right now. Stay tuned for results.

Thanks,

Chris

 

hmm now the link is gone. Someone please pm me with the link.

Thanks,

Chris

 

Using Antimalware.

First test:
Bypassing Personal Firewall (ZoneAlarm Pro) Protection

This test does send the information to it's server. But this is expected.

Second test:
Defeating Citi-Bank Virtual Keyboard Protection

Whether it is Antimalware or something else this test fails with the program giving the message "Citibank login page not found!!"

Third test:
Indiatimes Shopping Cart XSS (Cross Site Scripting) Attacks

The only one that I could get to work was the redirection code and this did redirect my browser.

Fourth test:
Defeating Microsoft WGA (Windows Genuine Advantage) Validation Check

Could not find the POC on the site. Please pm me if I missed it somewhere.

Fifth test:
CuteNews "archive" parameter Cross Site Scripting (XSS) Vulnerability

I did not test this due to the current version of Cute news is 1.4 and this version is not affected by the exploit.


Conclusion:
I think most if not all of these tests are not tests for Antimalware or sandbox apps. The POC's are mostly using flaws in the browser not in Antimalware or a sandbox app. A better test would be to run a trojan, virus or other malware and see the results. Pollmaster if you can pm me with any types of these programs which would actually be a test for Antimalware or a sandbox app than I will test them and post the results here as well. Please remember these tests only represent my PC and the conclusion is just my opinion.

Thanks,

Chris

 

Perhaps but What exactly would a test for sandbox apps be? Saying trojans or viruses doesn't clarify the matter, since the technique used by this leak test can easily be used ina trojan (perhaps combined with a keylogger for bypassing the firewall).

Doesn't a sandbox claim to restrict all types of behavior except for a few harmless activities. The question then becomes is the type of behavior carried out by this leak test a possibly dangerous one? If so, shouldn't the sandbox block this behavior?

Or are sandboxes mainly focused only about logging changes to the files and directories only?

I think you misunderstand the point of this thread. Please see Ghost's post higher up in the thread, and the link to another post he made (in response to my post in another thread).

I would add, that saying that "flaws in the browser" (actually this is false with respect to the test 1) is not excusable.

 

in the case of sandboxie - the sandboxie virtual disk folder is the universe - everything that runs within sandboxie and downloads within sandboxie thinks the virtual disk folder is the real hard drive. at the end of the session you empty the sandbox - so for example if there is a keylogger running in memory that was inadvertantly downloaded during the session it will be writing it's log file to the virtual folder - emptying the sandbox will destroy the log file - if the keylogger tried to write autostart keys to the registry it will be the virtual folder copy of the registry so all autostart info is destroyed when the sandbox is emptied.

 

This will not happen if the trojan is untrusted, It can not install a hook to capture keys.

This is not considered dangerous behavior by the sandbox so it does not blok it. The program is simply sending text that a user inputs into the program or uses the default text using a method that the firewall does not stop. It does not capture your keystrokes.

Well I doubt you are going to find a program sandbox or not that will allow most programs to function correctly but yet block all exploits. You will not find an anti virus or anti trojan or anti anything that will do this. Nothing can block 100 percent of everything besides turning off the power. But sandbox or similar products will let you run untrusted apps that for the most part will work well but not be able to do damage. Not sure other than that on how to explian it.

That is why I wrote:

Note the word mostly. I would say that 1 out of 5 does clasify as mostly.

Thanks,

Chris