Studying Malware in a Virtual Machine - Dangers, Precautions

Wow! it seems no one is good for Steve anymore. Running your mouth against developers then the moderators who have every right to question the validity of your words will earn you bans, not credibility.

What most honest respectable coders did when finding POCs is notify the developers of the concerning POC on their respective forums and refer to the code uploaded to a filehosting site in a protected rar archive. The post includes a description disclaimer for potential testers who will then check it.

This is the standard protocol that was untertaken immediately by respected programmers like Buster, who disclosed and notified Tzuk of the code he found.

By posting such an obviously loaded request on this specific forum, you are delibrately looking for ways to avoid any meaningful mechanisms of disclosure. So when the mods tell you that you can't post it here, you point and say: "see, they said I can't post it here. I wanted to, but I am not allowed."

What a pathetic attempt to ease out of direct confrontation. I also don't get why you would ask for "terms" just to see a POC. Judging by that, you will never release it to the public, and or you are trying to make it difficult as possible to aqcuire a non existent POC just to save face and backout.

So what's it gonna be Steve? The moment of truth has come, and culminates in the following direct request:

You either post the material publicly on Sandboxie's forum by the end of today, where almost everyone here knows where to get it, or forever face the reputation of being a liar who foments strife. The choice is yours.

 

Serapis,

We already did responsible disclosure to the vendor 2 years ago. And the main terms of the review were that everyone got to see the results at the same time without any moderation or delay, and that the code would have to be destroyed when the test was done because it was caustic. Peter rejected the terms because he said he wanted to be able to give another heads up to Sandboxie if they were true.

LWM,

The link was intended for you, Admin. BSA's quote being presented by a mod is exactly an ultimatum and equivocates more than just "put up or shut up" because there is a threat at the end of it that only can be carried out by a mod. Otherwise he could have just requested it without reference, or could have for that matter referenced anyone else. However, he decided to specifically reference BSA, twice, to reference the ultimatum and threat it contained. It is entirely up to you to decide how you deal with your delegated authorities making veiled extortion threats on your own forum, as they speak for and reflect upon you. I leave the matter in your hands.

As for the PoCs and payload, I'll be happy to post and host them myself on XeroBank forum by the time I originally stated or sooner. I would also like to post followup notifications here when each are released, as it looks like we may have some available sooner than expected.

 

Thats a straight out lie. Tzuk never got anything from you concerning your claims. The thread from two years ago and the developer himself confirm that.

My request in the post above still stands.

 

Does that still work if you set a ClosedFilePath against the folder containing the passwords/docs/photos and the folder containing the sandbox files (C:\Sandbox)?

 

The responsible disclosure is the actual vulnerability, not the specific exploit, which changes with the weather.

The vulnerability is that Sandboxie encourages unsafe user behaviors, such as downloading malware and visiting untrustworthy sites, apparently without notifying the user to the limitations of those claims. These are written on the Sandboxie homepage itself.

sbseven,

I don't know how closedfilepath would react to explicit denies without directly testing it. However we were able to bypass sandboxie defaults and read from removable disks (usb/floppy), cdrom devices, and hard drives. It may also be possible to read from network drives.

 

Please test, as it looks like you aren't using Sandboxie at its full potential.

 

Neither of these are things Sandboxie is supposed to prevent (by default)... Unless you are talking about a bypass of Closedfilepath, Sandboxie does not prevent read access. Also, as far as deleting objects INSIDE the Sandbox... that is not a bypass. You are still INSIDE the sandbox. A breakout would be defined as performing file operations OUTSIDE the sandbox.

No actual work is needed to perform either of these operations in Sandboxie... It is in fact, the default behavior when malicious code is released inside the sandbox. It can write, delete in the sandbox and read anything the user has read access to (possibly more if the malicious code uses other exploits that allow for more privilieged access). Unless you are talking about some non-default configuration, these would not be bypasses, but instead a misunderstanding of how the product actually works.

IMO, this is a very strange statement to make after declaring you have a bypass with such far reaching implications.

 

sbseven,

Default-level security settings are usually the standard I test a specific software with, because that is what most users end up using.

hpmnick,

I didn't say the two we found this morning were breakouts. I said they were a Remote File Disclosure, and a Remote File Deletion. The Sandboxie breakout in 2009 was from an ActiveX add-on, if I remember correctly.

 

This is disingenuous though. This doesn't constitute "finding" anything.

Sandboxie does not prevent this behavior by default, and that is public knowledge.

As far as any deletions, only files you have in the Sandbox are vulnerable... which is not only not a vulnerability of any kind, but rather the feature that protects you. Sandboxed files are "untrusted" and any application run in the Sandbox (an untrusted zone) has delete/write access here INSTEAD OF your regular file system. This is a good thing.

You are acting like these are exploits that you discovered today. You can find these things by reading the manual. I fail to understand what you were trying to say.

I'm trying to be fair to you, so I will give you a chance to explain what type of statement you are trying to make here. You probably should recant your original statement to reflect the fact that you did not "discover" the above mentioned "vulnerabilities" and that it falls within the normal operating conditions of the program.

 

With your ever changing story/accusation, and weightless claims akin to methane released in a crowded elevator, one wonders if they should bother dignifying them with a response. But since many members seem to be through their third bucket of popcorn I will go ahead and post one more time.

One doesn't need to go far to dissect these false allegations and expose the malignant intentions of their author.

No where on Sandboxie's site does it tell people to engage in risky behavior or visit harmful sites. It is a delusion created by Steve in his pathetic attempt to sling muck at a reputable vendor.

No where on Sandboxie's site does it claim to be invincible like most other security software does. Never have I seen an official statement from Tzuk claiming that his software is infallible and absolutely 100%. In fact quite the opposite: http://www.sandboxie.com/index.php?FrequentlyAskedQuestions#HowSafe

Sandboxie has nonetheless PROVEN to be pretty darn rocksolid against hundreds of thousands of malware samples. But, I guess we should sweep that aside cuz Steve says so.

Just in case you didn't know, a breakout constitutes, permanent modfications of the OS resulting from something run INSIDE the sandbox.

All talk and no code makes Steve's words look like a load ... (well you guys know the rest )

 

hpmnick,

Should a website be able to destroy everything inside your sandbox?
I'm not sure what what you find disingenuous about it, I didn't think that was supposed to be an allowed behavior, is it?

serapis,

You're making ad hominem attacks again. Attack the speech, not the speaker, otherwise you're conflating the issue. Here is the misleading quotation:

The fact that people here, especially Sandboxie users, were entirely ignorant of sandbox breakout attacks and vm-aware malware until yesterday confirms the vulnerability, rather than other way around.

I've told you the underlying vulnerability, the exploits, the payload, when it occurred, and when I'll release the PoC. My story doesn't change, and the release date isn't affected by your demands. You should wait until after the time I said I would deliver before making such claims.

 

Let's Feed the Troll FEED HIM!

Inside the sandbox = nothing really done to your system. Its apparent that you knew that, but you are playing innocent now cuz you got nothin.
You specifically said a POC running inside sandboxie could destroy the system and render it unbootable.

 

For a person that's supposed to be a so called expert on Sandboxing and Visualization, you seem to lack the understanding of what Sandboxie is supposed to do.

The contents of a Sandbox are supposed to be discard able. It's job is to keep the host system clean from any and all Malware.

Ken:

 

Serapis, please refrain from commenting before reading the thread. I said those were two new exploits discovered just this morning.

 

Speech on its own is not harmful, but the way a person misleadingly manipulates it makes him held accountable.

 

Not trying to be offensive here Steve, but have you used Sandboxie at all? I'm guessing you may not have really sat down and used it.

There are a lot of ways you can use Sandboxie, it is pretty flexible, but I think you will find a lot of people in this forum use it to seal internet facing and/or vulnerable applications from potential attack vectors. I'll run adobe reader, chrome, outlook, etc. as a Sandboxed application.

When I close these applications, the Sandbox is automatically deleted. Files I actually want are recovered outside of the Sandbox.

Should an application be able to delete files in the Sandbox? With the normal use case in mind, I don't see why I would care one way or another. Its all going to be deleted anyway when I close the program. If a malicious piece of code is executed, it can write or delete any of the files in the sandbox.. It can't touch my real system though.

Do me a favor and go to Sandboxie.com really quick. See that animated GIF on the main page. Watch it for 30 seconds. See what happens at the end of the clip? The red squares in the little box are erased. That is the concept of Sandboxie. Write to a sealed off area, then just discard these changes when you are done...

If you think about it, the term "sand box" sort of gives you a picture of an actual box filled with sand. Sure, you can draw little pictures in the sand.. Make a little sand castle.. whatever you want... but everything you do can just be wiped over with one stroke of the hand. The idea isn't to protect your sand castle... Its to make sure your sand castle is easily destroyed.

Based on your confusion here, I'm going to have to assume that you don't quite understand what Sandboxie is supposed to do. This doesn't really help your case.

Of course, none of this actually matters if you can actually provide a working PoC. Considering the developer claims you haven't submitted anything, I think now would be the time to put something out there. Otherwise, at this rate, you are going to end up completely blackballed here.

 

Mr. 4 posts, I'm not an expert on sandboxing and virtualization, but i am an infosec expert and privacy expert. From what I can tell, Sandboxie is supposed to be a neutral sandbox environment, meaning
1) what is inside can't get out
2) external attackers shouldn't be able to put things in, take things out, or delete files, terminate the sandbox applications, or destroy the sandbox.

I realize that sandboxes are meant to be destroyed. But they are supposed to be destroyed by the user, not a remote website. That is why it is a bug. Can you not conceive of having sensitive data in your sandbox you didn't want destroyed without your express permission?

 

And... it continues.....

http://orangeline.colorado.edu/blog/wp-content/uploads/facepalm2.jpg

 

Re: Will I be allowed to prove it?

Go to Sandboxie´s forum and post there. You can post whatever you want.

 

Well said Buster.

Ken:

 

While that might be the point of *some* Sandboxing software, no that is not the case here. By design, software is given free reign in the Sandbox, but ONLY the Sandbox and READ access everywhere. I won't go into detail here as to why this is, but suffice to say that this satisfies the most use cases for the software. If you want to change this behavior, there are plenty options that allow you to do so.

Again, I'm trying not to be rude here, but what you are doing is pretty ballsy and IMO in bad taste. If you spent just a little bit of time reading the material on Sandboxie, you would know all of this.

Likewise, it make you look a little silly. Most of us in here know Sandboxie in and out... and you come in saying "this morning I discovered how a vulnerability where I could read files and write to the sandbox." You might as well declare that the sky is blue, and the Soviet Union no longer exists.

 

Personally I don´t care about the findings you did this morning. For me they are a product of your lack of knowledge about Sandboxie. What I want to see proved is this:

"Proof of concept code followed, and about 2 hours later, we tried it out. It worked. Not only did it work, it was devastating. After breaking out of Sandboxie, it ripped through all the antivirus and security software, and then the entire OS itself resulting in an unrecoverable system destruction in about 2 minutes."

https://www.wilderssecurity.com/showpost.php?p=1848430&postcount=33

Breaking out = write to real system

ripped the entire OS = the machine will not boot

That´s what you must prove and nothing else.

 

Re: Will I be allowed to prove it?

I appreciate the suggestion, but I doubt it will be a more fertile ground for intellectual or security discussion on the matter, especially considering your initial reaction. I think the proof is in the code, and the video will speak for itself, if you can be patient.

 

Re: Will I be allowed to prove it?

In the past I have done a fake video showing how Sandboxie was bypassed.

I´m sorry but a video will not be proof of anything.

Edit:

http://sandboxie.com/phpbb/viewtopic.php?p=56003#56003

The video is not available anymore but you can confirm what I said.

I tell the same I told to the other guy: the only trustable method to prove the bypass is sharing publicly the executable or sending it privately to tzuk.

 

btw... For 2 times I proved Sandboxie was vulnerable. tzuk admitted the holes and fixed them.

Why don´t you want to do the same?

"Come into my parlor, said the spider to the fly."

Nobody is going to eat you there.