Icesword cuts through Sandboxie like butter

Discussion in 'other anti-malware software' started by TNT, Nov 3, 2005.

Thread Status:
Not open for further replies.
  1. TNT
    Offline

    TNT Registered Member

    The powerful Icesword anti-rootkit tool has apparently very little problem breaking out of Sandboxie 2.11 (latest release, 19 October 2005).

    Executing Icesword in a "sandboxed" environment leads to worrying results.

    This is the picture of Icesword being executed with "File - > Run program" in Sandboxie; notice that, though working, it doesn't show in Sandboxie's process list.

    http://img306.imageshack.us/img306/7107/immagine1kh.gif


    Now let's do the following: from the sandboxed Icesword, let's terminate Sandboxie itself:

    http://img52.imageshack.us/img52/6751/immagine26vo.gif


    A few error alerts will show up: not too worring, though, as Icesword will happily continue to work. Sandboxie's Control.exe, on the other hand, is terminated with extreme prejudice. :p

    http://img84.imageshack.us/img84/5273/immagine36xf.gif


    Now let's save a log of the running processes from Icesword itself. Remember, the program wouldn't be able to access outside its sandbox if it were still under the control of Sandboxie:

    http://img173.imageshack.us/img173/5875/immagine42zk.gif


    Here's the "tested.log" file on the desktop. Clearly Icesword was able to reach outside the sandbox:

    http://img152.imageshack.us/img152/4776/immagine55dh.gif


    In other words, Sandboxie fails to stop rootkit-like programs from spreading outside the box. :eek:

    Tested on Windows XP SP2. Note that this test didn't succeed every single time: in one occasion on the same computer, Sandboxie failed to launch Icesword in a sandboxed environment, complaining about failing to install Icesword's kernel module. Note that the Sandboxie kernel module was installed and running in all occasions.
  2. nicM
    Offline

    nicM nico-nico

    BufferZone is the winner (edit: *against IceSword*) , here :cool: ; IceSword can't even run inside the buffer zone!!! :eek: , it does stop dead rootkit-like programs, and then looks like a safe place...

    (IceSword disapears from BufferZone GUI right when you click on IceSword initialization failure box)

    ;)

    Attached Files:

    Last edited: Nov 4, 2005
  3. FastGame
    Offline

    FastGame Registered Member

    I ran test but more in line with using Sandboxie through the internet, I got the same results http://sandboxie.com/phpbb/viewtopic.php?t=110

    I don't know what extent the results mean, could be virtual results.....if so I want to know how the test log got on my desktop and stayed there after I cleared the sandbox o_O
  4. MikeNash
    Offline

    MikeNash Security Expert

    If you let something get Kernel level access, it can pretty much do anything it likes. It's probably why NicM's test of bufferzone passed - because the error suggests that the driver was not loaded. (With the disclaimer - I've seen neither Sandboxie or Bufferzone - so I could be wrong)


    Mike
  5. Franklin
    Offline

    Franklin Registered Member

  6. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    As I was already mentioned, Sandboxie has very low protection level. You should use another sandbox protection (DefenseWall, BufferZone).
  7. hollywoodpc
    Offline

    hollywoodpc Registered Member

    I am happy to see someone found what I learned a while back . I read all the great things about Sandboxie . For me , it is useless . It is , INDEED , weak . A shame more p[eople do not see this . But , if you feel protected by that , or any other app , feel free . I only use things that offer strong protection . This is why I tested it and moved on very quickly . It may have a place somewhere but , not as a protective device .
    By the way . BZ is excellent . Those guys really care about what people think about their software . that is a nice touch .
  8. tzuk
    Offline

    tzuk Developer

    Hello, I'm the author of Sandboxie. Thanks for the tip, TNT -- this IceSword is doing interesting things! :eek: I will look into it.
  9. Sandboxie User
    Online

    Sandboxie User Guest

    Sandboxie failed to launch Icesword in a sandboxed environment, complaining about failing to install Icesword's kernel module.

    This is not a failure of Sandboxie, it is a failure of IceSword. It means that Icesword has been successfully sandboxed on this occasion. The issue for the programmer is why Icesword sometimes slips out the box. I expect the author will look at the problem and there will be a fix. Jeez haven't you guys ever heard of a 'work in progress' ?. But congratulations, even as we post dozens of people will be uninstalling Sandboxie and installing BufferZone (which is also beta and has troubles of its own).
  10. TNT
    Offline

    TNT Registered Member

    And I am perfectly aware of that, thanks. In fact, THIS should be the regular behavior, not the one exception that happens once in a while. Even if Icesword happened to fail 100 times and be successful in breaking out one time, it would certainly be a problem in Sandboxie; as it is (it gets executed and successfully breaks out most of the time), it is a BIG problem in Sandboxie.

    I am not bashing Sandboxie or anything like that, I am just pointing out what's very clearly a security flaw in it, hoping that it's going to be fixed soon; both for users and for the reputation of this product itself.
  11. Franklin
    Offline

    Franklin Registered Member

    Glad your here Tzuk.Seems your good and free prog is ruffling a few feathers in this forum.
    Keep up the good work.No reboots and now some are calling it nagware.For a freebie,it definately out does signature based scanners.
  12. Franklin
    Offline

    Franklin Registered Member

    Are you the author of another security program where it needs a reboot everytime?
    Have you run Icesword through your program and what,if any results.
  13. Painkiller
    Offline

    Painkiller Registered Member

    Did somebody checked the Icesword on any other HIDP or Virtualziaztion software ...
    I will probably add this test to my Review i do on my blog ... currently i will review AntiHook 2.5 and Also BufferZone Home ... so i wil also check it with Icesword ...
  14. Franklin
    Offline

    Franklin Registered Member

    Thanks,should be interesting.
  15. nicM
    Offline

    nicM nico-nico

    My intention wasn't to bash Sandboxie, of course (sorry if some people did feel it that way), and this issue must just be related with the driver protection level offered by Sandboxie: as said Mike Nash, once an application can reach the kernel level, you can't stop it from doing its tricks. See http://www.wilderssecurity.com/showthread.php?t=104320
    , everything is turning round the ability to prevent IceSword's driver install: you block it, IceSword can't run; you don't block it, then IceSword can bypass any protection you could ever use in front of it.

    The fact that Sandboxie doesn't prevent it isn't a flaw, just a feature (hopefully all nasties don't have the "power" that IceSword can gain on a system); and tzuk's reply does maybe suggest that something could happen about that :)


    The ONLY conclusion to draw from that, for me, is that IceSword, with its rootkit-like behaviour, is a very useful tool for testing purposes.

    :)
    Last edited: Nov 4, 2005
  16. Ilya Rabinovich
    Offline

    Ilya Rabinovich Developer

    Icesword couldn't install their driver. And failed.
  17. justwondering
    Online

    justwondering Guest

    So if IceSword just needs to load a driver, and SandBoxIE can't stop this, couldn't you just use a program along with SandboxIE that could block the loading of drivers like Prevx free for example? That should stop IceSword from loading then.
  18. justanswering
    Online

    justanswering Guest

    Or run as a limited user account?
  19. tzuk
    Offline

    tzuk Developer

    Thanks Franklin, it's nice to be appreciated :)

    A little clarification: Sandboxie aims to block kernel-mode code from loading. This can be seen when running some peaceful Sysinternals tools that load drivers, for example. They will not function well within the sandbox. The IceSword must be using another avenue for getting into kernel-mode, but almost certainly that avenue can be blocked just the same.

    I thank you all for your interest :)
  20. Sandboxie User
    Online

    Sandboxie User Guest

    "I am not bashing Sandboxie or anything like that, I am just pointing out what's very clearly a security flaw in it, hoping that it's going to be fixed soon; both for users and for the reputation of this product itself."

    I picked out a quote from your thread but I didn't mean to suggest you were 'bashing' Sandboxie. I think it was Karl Popper who said "if you criticize an argument you make it stronger". Similarly, by discovering this exploit hopefully you have helped to make Sandboxie stronger. So, thanks.
  21. nicM
    Offline

    nicM nico-nico

    SandboxieUser, I just precise this quote wasn't for me :) , as your reply does look like it's dealing with mine (along with TNT's one).
  22. Guessed
    Online

    Guessed Guest

  23. Rivalen
    Offline

    Rivalen Registered Member

    DefenseWall HIPS 1.o

    Runs very smoothly on my PC.

    I am not computer-savvy enough to analyze a test with IceSword, but maybe some of you could download DW and take it for a spin around the block with IceSword and see what happens.

    Search this forum for DefenseWall and the link in Ilyas first post will lead to the latest version of the program.

    As Untrusted I only run Outlook, IE WMP and the default other untrusted apps - many of them I dont know what they are for - but probably Internet communication related. Other security apps are in trusted.

    RegTest failed 100% - could not do anything to change anything when run from untrusted/the box - that test I could understand the result - and my DW performed as exspected.

    Best Regards
  24. Rasheed187
    Offline

    Rasheed187 Registered Member

    I have a question about this whole issue, I´ve noticed that if I try to run IceSword sandboxed, I will still get notified by ZA Pro that IceSword is trying to load a driver. But ZA will not notify me when other sandboxed apps want to load a driver. So what´s up with this, can´t SBIE prevent IS from loading the driver or what? :rolleyes:

    And btw, at the moment I´ve denied IS from installing the driver because i´ve read in another thread that this tool caused a lot of trouble for some people. Too bad becuase it looks like a cool tool, and it´s also not flagged as malware by none of the scanners. But can it perhaps cause conflicts with ZA Pro and PG Free? o_O
  25. khazars
    Offline

    khazars Registered Member

    Has anyone got a working download for this as every time I download this programme I get an error that the file is corrupt!
Thread Status:
Not open for further replies.