Possible Sandboxie breach

Discussion in 'sandboxing & virtualization' started by Doodler, Mar 14, 2013.

Thread Status:
Not open for further replies.
  1. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    237
  2. CrusherW9

    CrusherW9 Registered Member

    Joined:
    Dec 27, 2012
    Posts:
    517
    Location:
    United States
    If this is true, then I'm interested in seeing how fast Tzuk fixes it.
     
  3. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    Nice find by Buster! He's a great person as usual!
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Guy's rather then keep posting in the thread which keeps the subject active, and can alarm people, why not just let it lie, until Buster has something factual to report.

    Pete
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Seems like any time there's speculation that's exactly what happens - IDK why anything would be different for Sandboxie.

    I'd be surprised if this were used anywhere outside of targeted attacks, though.
     
  6. chris1341

    chris1341 Guest

    Already posted in the beta 4 thread.

    Didn't start another thread because I don't think (as yet) it merits it. Might be very easily mitigated (drop rights etc), might only be relevant in a targeted attack. We don't know yet.

    Anyway every security program is vulnerable in some way. I'm sure Tzuk will deal with it quickly if proven. If it can be resolved it will be patched quickly, if its just the way the program works, well we have a choice to make based on risk.

    Lets be patient and see how it develops.

    Cheers

    Edit: Spent too much time elsewhere while typing so only just noticed Peter2150 and Hungry Man's posts make this one kinda superfluous.
     
  7. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Proof is in the pudding,So as of right now its just speculation until proven otherwise.
     
  8. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
  9. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    I beg to differ.
    "I have been told...", "The malware could be using...", "If I am not wrong...".
    So far there's no confirmation on anthing, so: speculation.
    Not saying it's bogus, just that we need, as mentioned, some patience.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You know I am always a bit suspicious when someone posts about a problem and it's from a "trusted" source but they can't be revealed or will come forward.

    I know most of you like me consider the person making these statements. In this case that consideration has been altered dramatically by this:

    http://www.sandboxie.com/phpbb/viewtopic.php?t=6557&start=855

    Read it and judge for yourselves.

    Pete
     
  11. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    548
    Location:
    Nottingham
    Either way , this is a bit sad. If there has been a bypass, or perhaps just bad feelings.
    Surely the amount of people, using SB specifically to analyze malware, must be extremely low.
    Like Tzuk said " I'm not going to spend time to make Sandboxie be able to run malware for the sake of running malware. This would not be in the best interest of most people using Sandboxie and expect it to protect them. If even one malware, which would potentially steal data, would fail to run under Sandboxie, then it is a win for people who use Sandboxie "
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Sure, for those who use use Sandboxie to test malware, too bad, but its intended purpose is to protect against malware threats, not to test malware.
     
  13. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    Read it. Yet, I still think it doesn't alter anything in regards to the topic at hand.

    Let's analyze things further before we judge characters...

    Buster and Tzur had disagreements on the subject of releasing another version in 3.x line to accommodate BSA users but that does not warrant any implied distrust against Buster, at least for me. Their disagreement is only limited to the use of BSA-Sandboxie combo for malware analysis in future versions and not on the effectiveness of Sandboxie as a security tool. I think that's pretty clear.

    Of course, it's natural and I'm not surprised if there are suspicions on Buster arising from that episode. You might think there's an agenda of tarnishing Sandboxie reputation or simply causing FUD. If that's your stance, I have to respectfully disagree.

    Buster already decided to "move on" and stated that "BSA will be discontinued". From what I can see, it's mentioned that he shared the malware sample/POC with Ronen. Look at the tone of his posts. I see it as an indication he's still willing to work with the latter on improving Sandboxie, regardless of whatever disagreements they had previously.

    Most of us here loves Sandboxie with a passion but let's not forget the fact nothing is 100% foolproof. I don't think even Ronen Tzur would make such claims. If this breach is indeed true, let's give the developer some time to work out something to patch the issue. It has been done before.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I totally agree. Just I think people need to be aware of all the facts. THen they can judge for themselves.
     
  15. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,538
    Location:
    Sweden
    I think Buster is open minded and keeping a good tone with the developer. I find it highly unlikely he'd just say Sandboxie's been breached unless he have very good reasons.
     
  16. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Buster gave a sample to Tzuk - so Tzuk can analyze if there is a problem and react. Thats fine and thats the way it should go.

    So for me - with all the information that is available atm, there is no need to get frightened about sandboxies effectiveness or for speculation and long threads about a possible bypass. Just patience and wait.
    __

    The "BSA issue":
    I totally understand Tzuk's position but I also can understand that Buster maybe is a little bit sad about it, after all the work he put into BSA. For me a great tool - but SB is the basis and BSA only the addition. I really hope Buster doesn't gives up development and finds a way to make it as much compatible as possible. Beside malware analysis, which always is a little nonsense in sandboxes, that tool was usefull for so many other things (to track installations etc.).
     
  17. sdmod

    sdmod Shadow Defender Expert

    Joined:
    Oct 28, 2010
    Posts:
    1,159
    If there is a breach in Sandboxie and it is possible to correct, I have every confidence Tzuk (Ronen Tzur) will be straight on to it; Over the years I've often seen him fix bugs within the same day. From a personal point of view I don't like sudden "architectural" changes in loved software that I'm devoted to and have become accustomed to but Tzuk has never been afraid of radical change to progress his product and achieve his goals . He doesn't like compromise "solutions" and is a person who ultimately walks his own path. Those goals are not maybe Buster's goals but then again, Buster is not the developer of Sandboxie. It's Tzuk's time and income that is at stake. As I remember it Buster developed his own software independantly and Tzuk had the good grace to accept it positively but obviously he can't let it disrupt his operation and particularly if he has to make major changes to his own software.
    Tzuk has always had a good forum (which he actively participates in) and an open ear to his users/members and has taken many suggestions on board in Sandboxie's development.
    Buster's software is probably very useful to a particular interest group but essentially it very dependant on another software for it's existance.
     
    Last edited: Mar 16, 2013
  18. chris1341

    chris1341 Guest

    In addition the VT reference Buster makes shows it as an exe file which would be prevented from launching if you have start/run restrictions. So for me with my settings and the fact I use anti-executable software I guess the only way this would infect me was if I chose to run it in a social engineering type scenario. That's always been a risk with my set-up and I use things other than SBIE to mitigate that. I'll be sticking with SBIE until it no longer meets my requirements. A long way from that for me despite this.

    Cheers
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Maybe, but regarding the earlier link provided in the Sandboxie thread:

    http://www.welivesecurity.com/2012/12/27/win32gapz-steps-of-evolution/

    it seems it could be a rather elaborate "dropper" process, especially where it's mentioned:

    It doesn't seem to be a simple matter of just manually executing the malware. Of course we'll hopefully get a better idea about this once further testing is completed, although it's encouraging so far with the one report coming from tzuk (Ronen).
     
  20. chris1341

    chris1341 Guest

    Thanks wat0114.

    Yeah, I got that the delivery method may avoid detection and silently elevate but had assumed it was the payload that led to the SBIE 'bypass' rather than delivery method and that the payload was an executable file which would be blocked by start/run.

    I had taken that only after execution (elective/user initiated or not) does the 'bypass' take place. Making that assumption is the reason I suggested only manual rather than drive-by style execution would be an issue in my set-up which includes anti-executable and start/run restrictions.

    As you say we'll no doubt find out more as I think this has a way to run.

    Cheers
     
  21. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    I am a little confused, who is Ronen?
     
  22. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    870
    Location:
    2500'
    The creator and developer of Sandboxie, Tzuk.
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I was able to got the sample, hurray.....:D Anyone ? Drop me a PM, don,t ask in the thread please.

    It,s Gapz trojan.
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    It doesn,t seem to do anything. May be Vm aware. :rolleyes:
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Malware sample? I thought it was PoC? o_O
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.