Sandboxie Acquired by Invincea

Discussion in 'sandboxing & virtualization' started by ad18, Dec 16, 2013.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I was talking about standard exploits, those ones are easily stopped with execution control. Also, I've never heard of a trojan/keylogger that is capable to run directly from memory.

    No surprise since only highly advanced exploits, that make use of privilege escalation, can break out of the sandbox.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Interesting, so the "integrity level" feature in Win Vista/7/8 will stop AKLT from reading keystrokes outside the box. This is something that Win XP lacks.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    will test and report
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Apparently memory-only payloads are in the wild though. The Angler Exploit Kit can do this, seems to be a common threat these days, and it can use a keylogging payload.

    Supporting References:
    Java.com, TMZ Serving Malvertising Redirects to Angler Exploit Kit
    Fileless Infections from Exploit Kit: An Overview

    From Complete Removal of Angler Exploit Kit(removal guide):
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes but does this key-logging component run directly from memory? I do not think so, because as you can read in the article (see link) hackers still rely on disk based trojans to infect systems. Of course I also prefer to stop the attack in stage 1, you need anti-exploit for that. On the other hand, if your browser is restricted (can't listen to connections, can't start other process, can't install keyboard-hook) such an attack will also be stopped, in theory.

    http://www.securityweek.com/malware-injected-directly-processes-angler-exploit-kit-attack
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    About Angler exploit kits and Sandboxie. From the Sandboxie forum.
    http://forums.sandboxie.com/phpBB3/viewtopic.php?f=5&t=19642

    Bo
     
  7. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, but that is not the point. If malware is running inside the sandbox, it can still do damage, in theory. So you need to harden the sandbox settings and/or use HIPS/anti-exploit/anti-logger to be completely safe.
     
  9. When it bypassed Faronics-AE, it will problably also bypass other Anti-Executables (like NVT Exe Radar Pro). Listening through a browser would be done by rich content (java, pdf, flash. silverlight etc) or reversing/pushing messages from a server (using Ajax in IE for example). You should ask the developers of your application virtualization program how to set this up, because I really doubt that the settings/restriction you can set through configuration will stop that, so I would write that 'in theory' in capitals and bold.
     
  10. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    I am an old fashioned guy so I do banking the old fashion way of going to the bank or sending someone over. But if I was to do banking on line, in addition to using a restricted sandbox with Drop Rights where only the browser can run and connect, I would open a fresh browsing session, do banking, delete the sandbox and get out. And I got no plugins in W7 and only one in XP and using NoScript. I think, for this kind of malware to do damage to me, I would have to be very unlucky.:)

    Bo
     
  11. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
  12. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Thanks for the heads up Bo!
     
  13. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    It cannot do any damage, if it's contained, that's the point of Sandboxie's containment. But however, restrictions will do the trick.
     
  14. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    I have to admit I want to try out Shadow Defender, but I'm scared to death in using it, first will it eat memory virtual boxes do, when you put let's say C: partition in the shadow mode, and when you disable shadow mode will my ram memory lose a lot megabytes/or even gigabytes?
    Just wondering how good is Shadow defender in protection and security, as another additional part of security?

    Regarding HmPA, I don't like betas, so I don't use them, but hopefully the new, clean version of HMPA with exploit mitigations will come up.
    Regarding SBIE4, you don't need SBIE4 to clean up sandbox, you can have CCleaner and Glary Utilities Pro, this is what I also use, as well.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Couple of things. 1st the new 13.7 SBIE beta did indeed solve the Firefox problem. So that again allows me to work with it

    As to Shadow Defender, no it doesn't eat resources at all like a virtual machine. In fact I've allocated 2.5GB of Ram for it's virtual storage. When it uses that it goes back to the disk. I see absolutely no impact on performance. To exit shadow mode requires a reboot, so there is no ram lose. Security comes from the fact that you aren't writing anything to the main part of the disk.

    Re cleanup, the cleaners you mention doesn't quite measure up to SBIE, because SBIE, pulls everything including the registry hives it needs into the sandbox and upon deletion they go.

    So now I have two options to use.

    Pete
     
  16. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    1,242
    Removed Protectedmode=0 and now Flash works fine with FF 33.0, Sandboxie beta 4.13.7 and Flash .189 (W7 74 bits).
     
  17. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    You could ask Curt or send him an e-mail with such questions, since you know what are you talking about.
     
  18. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,325
    Location:
    US
    I allow SD to use up to 2 gig of RAM if it needs it but it has never actually used more than 600mb.

    By default SD does not use any RAM at all for the temp storage but rather your hard drive. You have to choose to use RAM for storage.
    Acadia

    CORRECTION: Looks like my system is allotting 2 gig of memory to SD but is only using 600mb of it, but it is still kept aside for it. To use minimum RAM keep the default which saves the Write Cache to disk.
     
    Last edited: Oct 15, 2014
  19. We are talking about theory here. What is the real life chance of running into such an exploit? Also when a researcher finds a new exploit its theoretical impact is often exaggerated. So I am not going to claim time from an expert, sorry
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I was once again talking about the "memory only" malware served by the Angler exploit kit. In theory, it can run some info stealing trojan, so if the sandbox is not hardened, it might be able to steal data. This is what I mean with "damage". But like I said before, I'm not sure how dangerous this type of exploit actually is.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm not sure what you mean, because Anti-Executables like EXE Radar, VoodooShield and AppGuard will be bypassed for sure by malware that's running inside memory only. I also do not understand the rest of your post. What I was trying to say, is that malware running inside the memory of a browser, will be restricted by the privileges that the browser has. So if a browser can not listen for incoming connections, and can not hook the keyboard, you might be able to stop a remote shell trojan. Of course this is all theory.
     
  22. I thought you were referring to start/stop and internet restrictions, because you mentioned to harden the sandbox with AE/HIPS/etc. When it breaks the untrusted/anonymous user container/sandbox it is game over, because an OS-feature is bypassed. But as Kurt said Angler has not crossed their radar screen nor is the untrusted/anonymous user container broken in real life. So we agree on the sandbox restrictions and privileges being the critical protection layer.
     
  23. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This is getting a bit confusing. :D But basically, the last weeks, 2 types of attacks have been discussed in this thread:

    1 Does Sandboxie protect against key-loggers?
    2 Does Sandboxie protect against drive by attacks, used by exploit-kits?

    The answer to question 1: no not with standard sandbox settings.
    The answer to question 2: no not with standard sandbox settings.

    About 1, SBIE is not designed to block key-logging techniques, so if some Trojan is running outside the sandbox, you still need protection from firewall and HIPS. Inside the sandbox you can stop the Trojan with the "Restrictions" feature.

    About 2, standard exploits will be most likely stopped with the "Restrictions" feature, but to stop advanced exploits, you need anti-exploit apps. But even advanced payloads who run in memory only, might have a hard job infecting the machine permanently, because it's running with limited privileges inside the sandbox.
     
    Last edited: Oct 15, 2014
  25. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,247
    Excellent post.
    And yes, inside SBIE4's sandbox start/run restrictions will prevent any malware (unless there is a bug, or the SBIE4 itself is exploited), outside of SBIE4 keylogger/trojan can do whatever they want to SBIE4, this is why it's crucial to have 100% clean, 100% fresh computer from ground zero.
    And yes, advanced exploits will have very hard, even impossible time (if we talk about how much time it would take to break through limited, actually untrusted privileges inside SBIE4, which would actually protect the real system from getting infected/compromised.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.