Icesword cuts through Sandboxie like butter

Discussion in 'other anti-malware software' started by TNT, Nov 3, 2005.

Thread Status:
Not open for further replies.
  1. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    The powerful Icesword anti-rootkit tool has apparently very little problem breaking out of Sandboxie 2.11 (latest release, 19 October 2005).

    Executing Icesword in a "sandboxed" environment leads to worrying results.

    This is the picture of Icesword being executed with "File - > Run program" in Sandboxie; notice that, though working, it doesn't show in Sandboxie's process list.

    http://img306.imageshack.us/img306/7107/immagine1kh.gif


    Now let's do the following: from the sandboxed Icesword, let's terminate Sandboxie itself:

    http://img52.imageshack.us/img52/6751/immagine26vo.gif


    A few error alerts will show up: not too worring, though, as Icesword will happily continue to work. Sandboxie's Control.exe, on the other hand, is terminated with extreme prejudice. :p

    http://img84.imageshack.us/img84/5273/immagine36xf.gif


    Now let's save a log of the running processes from Icesword itself. Remember, the program wouldn't be able to access outside its sandbox if it were still under the control of Sandboxie:

    http://img173.imageshack.us/img173/5875/immagine42zk.gif


    Here's the "tested.log" file on the desktop. Clearly Icesword was able to reach outside the sandbox:

    http://img152.imageshack.us/img152/4776/immagine55dh.gif


    In other words, Sandboxie fails to stop rootkit-like programs from spreading outside the box. :eek:

    Tested on Windows XP SP2. Note that this test didn't succeed every single time: in one occasion on the same computer, Sandboxie failed to launch Icesword in a sandboxed environment, complaining about failing to install Icesword's kernel module. Note that the Sandboxie kernel module was installed and running in all occasions.
     
  2. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    BufferZone is the winner (edit: *against IceSword*) , here :cool: ; IceSword can't even run inside the buffer zone!!! :eek: , it does stop dead rootkit-like programs, and then looks like a safe place...

    (IceSword disapears from BufferZone GUI right when you click on IceSword initialization failure box)

    ;)
     

    Attached Files:

    Last edited: Nov 4, 2005
  3. FastGame

    FastGame Registered Member

    Joined:
    Jan 15, 2005
    Posts:
    677
    Location:
    Blasters worm farm
    I ran test but more in line with using Sandboxie through the internet, I got the same results http://sandboxie.com/phpbb/viewtopic.php?t=110

    I don't know what extent the results mean, could be virtual results.....if so I want to know how the test log got on my desktop and stayed there after I cleared the sandbox o_O
     
  4. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    If you let something get Kernel level access, it can pretty much do anything it likes. It's probably why NicM's test of bufferzone passed - because the error suggests that the driver was not loaded. (With the disclaimer - I've seen neither Sandboxie or Bufferzone - so I could be wrong)


    Mike
     
  5. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
     
  6. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    As I was already mentioned, Sandboxie has very low protection level. You should use another sandbox protection (DefenseWall, BufferZone).
     
  7. hollywoodpc

    hollywoodpc Registered Member

    Joined:
    Feb 14, 2005
    Posts:
    1,325
    I am happy to see someone found what I learned a while back . I read all the great things about Sandboxie . For me , it is useless . It is , INDEED , weak . A shame more p[eople do not see this . But , if you feel protected by that , or any other app , feel free . I only use things that offer strong protection . This is why I tested it and moved on very quickly . It may have a place somewhere but , not as a protective device .
    By the way . BZ is excellent . Those guys really care about what people think about their software . that is a nice touch .
     
  8. tzuk

    tzuk Developer

    Joined:
    Jul 4, 2004
    Posts:
    34
    Hello, I'm the author of Sandboxie. Thanks for the tip, TNT -- this IceSword is doing interesting things! :eek: I will look into it.
     
  9. Sandboxie failed to launch Icesword in a sandboxed environment, complaining about failing to install Icesword's kernel module.

    This is not a failure of Sandboxie, it is a failure of IceSword. It means that Icesword has been successfully sandboxed on this occasion. The issue for the programmer is why Icesword sometimes slips out the box. I expect the author will look at the problem and there will be a fix. Jeez haven't you guys ever heard of a 'work in progress' ?. But congratulations, even as we post dozens of people will be uninstalling Sandboxie and installing BufferZone (which is also beta and has troubles of its own).
     
  10. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    And I am perfectly aware of that, thanks. In fact, THIS should be the regular behavior, not the one exception that happens once in a while. Even if Icesword happened to fail 100 times and be successful in breaking out one time, it would certainly be a problem in Sandboxie; as it is (it gets executed and successfully breaks out most of the time), it is a BIG problem in Sandboxie.

    I am not bashing Sandboxie or anything like that, I am just pointing out what's very clearly a security flaw in it, hoping that it's going to be fixed soon; both for users and for the reputation of this product itself.
     
  11. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Glad your here Tzuk.Seems your good and free prog is ruffling a few feathers in this forum.
    Keep up the good work.No reboots and now some are calling it nagware.For a freebie,it definately out does signature based scanners.
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Are you the author of another security program where it needs a reboot everytime?
    Have you run Icesword through your program and what,if any results.
     
  13. Painkiller

    Painkiller Registered Member

    Joined:
    Aug 24, 2004
    Posts:
    42
    Did somebody checked the Icesword on any other HIDP or Virtualziaztion software ...
    I will probably add this test to my Review i do on my blog ... currently i will review AntiHook 2.5 and Also BufferZone Home ... so i wil also check it with Icesword ...
     
  14. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Thanks,should be interesting.
     
  15. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    My intention wasn't to bash Sandboxie, of course (sorry if some people did feel it that way), and this issue must just be related with the driver protection level offered by Sandboxie: as said Mike Nash, once an application can reach the kernel level, you can't stop it from doing its tricks. See http://www.wilderssecurity.com/showthread.php?t=104320
    , everything is turning round the ability to prevent IceSword's driver install: you block it, IceSword can't run; you don't block it, then IceSword can bypass any protection you could ever use in front of it.

    The fact that Sandboxie doesn't prevent it isn't a flaw, just a feature (hopefully all nasties don't have the "power" that IceSword can gain on a system); and tzuk's reply does maybe suggest that something could happen about that :)


    The ONLY conclusion to draw from that, for me, is that IceSword, with its rootkit-like behaviour, is a very useful tool for testing purposes.

    :)
     
    Last edited: Nov 4, 2005
  16. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Icesword couldn't install their driver. And failed.
     
  17. So if IceSword just needs to load a driver, and SandBoxIE can't stop this, couldn't you just use a program along with SandboxIE that could block the loading of drivers like Prevx free for example? That should stop IceSword from loading then.
     
  18. Or run as a limited user account?
     
  19. tzuk

    tzuk Developer

    Joined:
    Jul 4, 2004
    Posts:
    34
    Thanks Franklin, it's nice to be appreciated :)

    A little clarification: Sandboxie aims to block kernel-mode code from loading. This can be seen when running some peaceful Sysinternals tools that load drivers, for example. They will not function well within the sandbox. The IceSword must be using another avenue for getting into kernel-mode, but almost certainly that avenue can be blocked just the same.

    I thank you all for your interest :)
     
  20. "I am not bashing Sandboxie or anything like that, I am just pointing out what's very clearly a security flaw in it, hoping that it's going to be fixed soon; both for users and for the reputation of this product itself."

    I picked out a quote from your thread but I didn't mean to suggest you were 'bashing' Sandboxie. I think it was Karl Popper who said "if you criticize an argument you make it stronger". Similarly, by discovering this exploit hopefully you have helped to make Sandboxie stronger. So, thanks.
     
  21. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    SandboxieUser, I just precise this quote wasn't for me :) , as your reply does look like it's dealing with mine (along with TNT's one).
     
  22. Guessed

    Guessed Guest

  23. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    DefenseWall HIPS 1.o

    Runs very smoothly on my PC.

    I am not computer-savvy enough to analyze a test with IceSword, but maybe some of you could download DW and take it for a spin around the block with IceSword and see what happens.

    Search this forum for DefenseWall and the link in Ilyas first post will lead to the latest version of the program.

    As Untrusted I only run Outlook, IE WMP and the default other untrusted apps - many of them I dont know what they are for - but probably Internet communication related. Other security apps are in trusted.

    RegTest failed 100% - could not do anything to change anything when run from untrusted/the box - that test I could understand the result - and my DW performed as exspected.

    Best Regards
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    5,549
    Location:
    The Netherlands
    I have a question about this whole issue, I´ve noticed that if I try to run IceSword sandboxed, I will still get notified by ZA Pro that IceSword is trying to load a driver. But ZA will not notify me when other sandboxed apps want to load a driver. So what´s up with this, can´t SBIE prevent IS from loading the driver or what? :rolleyes:

    And btw, at the moment I´ve denied IS from installing the driver because i´ve read in another thread that this tool caused a lot of trouble for some people. Too bad becuase it looks like a cool tool, and it´s also not flagged as malware by none of the scanners. But can it perhaps cause conflicts with ZA Pro and PG Free? o_O
     
  25. khazars

    khazars Registered Member

    Joined:
    Jun 8, 2005
    Posts:
    124
    Location:
    Glasgow, Scotland
    Has anyone got a working download for this as every time I download this programme I get an error that the file is corrupt!
     
Thread Status:
Not open for further replies.