Studying Malware in a Virtual Machine - Dangers, Precautions

I don't think we'll have any problem demonstrating that we did exactly that in April 09. That sounds delightful, and I look forward to it, Buster BSA.

 

A video without code is meaningless. At this juncture, I think everyone here has some trust issues. Considering the direction this thread is gone, I think you should allow nothing less than independent verification.

Buster would make a great independent tester considering his history. Please send him the PoC and then be done with this. Otherwise I motion for a permanent ban (due to either ethical violations or misrepresentation and false claims) .

 

Re: Will I be allowed to prove it?

And that´s fine considering the accusations you did.

If I was a mod here I would ask you to prove your claims or take you out.

I think that´s fair enough.

 

Re: Will I be allowed to prove it?

What is the point of making a fake video? Don't worry, I'll show you what we did and how, we could probably even do it live with a VNC broadcast as well. I would really like to give you the whole VM test environment so you can see if for yourself, but microsoft doesn't allow it :/

 

Re: Will I be allowed to prove it?

I think the point is that your reputation is pretty much on the line here. A bad reputation is pretty bad for business.

There is no reason to be protective of the code. I'm pretty sure Tzuk will give his blessing. Why not just reveal the PoC to someone like Buster? Go post it on the sandboxie forum.

There is no reason not to go ahead with this... unless you are lying to everyone.. I would like nothing more than to be proven wrong. Make the world safer and show the flaws. It is unethical not to...

 

Re: Will I be allowed to prove it?

To prove that a video doesn´t prove anything.

I don´t need the test environment. Send me the executable and I will test it in a real machine. Or maybe the PoC only works under your specific VM test environment?

 

I'll agree to this. However, I think the stakes should be a little more equal. I'm fine with a permaban if I don't deliver, but what do I get that is equally beneficial for going through such trouble and accepting so much risk?

 

Re: Will I be allowed to prove it?

Considering the exploit is from 2009, you'll need the 2009 environment we did it in too. Unless you're looking for a new breakout and exploit, which can be done but would probably cost more time and bit of money.

 

A solid reputation, something you don´t have right now.

 

Re: Will I be allowed to prove it?

Are you saying that your exploit/PoC/call it X, doesn´t work on a real machine running last version of Sandboxie (3.54)?

 

Praise and apologies?

I'm not sure what else there really is to give... They can ban me if you want..

 

Re: Will I be allowed to prove it?

I'm pretty sure he stated there was an exploit right now. I don't remember reading anything about 2009 until the more recent posts.

EDIT: Well, he was talking in the past tense, but he also said it can't be fixed. June 2010 is the reference here.

 

Re: Will I be allowed to prove it?

Well, I understood that I could only reproduce the PoC in a very specific VM test environment from 2009 and not in a real system using last version of Sandboxie.

Let´s wait for his reply to know about that.

 

Had it before I walked into this thread. I don't really see that as something to gain. You or Sandboxie should have something to lose, make it fair BSA.

You're disputing that we did this. You want a video and code and swarn testimony from witnesses. OK. However, a virus from 2 years ago doesn't continue to evade antivirus software today. I wouldn't expect the exact same exploit to continue to work across the same target software, the same infection method to work across major browser updates, and the same payload to have the same result. A lot has happened in two years, and PoC's are fragile code designed not to be robust, but to prove a point.

 

I´m trying to understand if you claim you have a PoC that works actually or you only had it 2 years ago. As I told, in the past I have found myself 2 holes in Sandboxie, so nobody pretends that Sandboxie never had a hole.

The real question is if it has it right now and if someone can prove it exists.

I feel like most people that readed this thread think you have something that works now, but I think you don´t. And that´s something that should be cleared.

 

Sure did.. I found this thread: https://www.wilderssecurity.com/showthread.php?t=292397&highlight=Sandboxie+bypass

Seems to be alot of speculation and no POC. (Alot like this thread) and it is also mentioned that if you have Drop My Rights enabled in Sandboxie that it can not bypass it.... Are you aware of any POC code? I am not and I am actively searching... If there is I would love to see it. Personally I could see Sandboxie bypassed before I would a VM.

 

So will a generic XP SP3 image from Jan 2010 suit you? I have a development VM that is patched up until then. I could RDP it out to buster if you like..

 

This is what puzzles me, Steve. If you've found a weakness, why are you reticent to reveal it immediately? Why are you filling a thread with the assertion, but only announcing a date next month when all will be revealed? If it dates from 2009, and you truly advised tzuk, knowing how quickly he patches his program, I'm sure he would have shown an interest.

IF you've found something, you're doing a great disservice to everyone by keeping it all secret for reasons at which I won't speculate.

 

You should clarify that, you're saying the words "actually" and "real", when I think you mean "current" and "most recent". I didn't claim we did this last week, I said we did it two years ago (which would have been Sandboxie 3.34), that is why I know doing malware testing in normal sandboxes and vm's isn't a great idea, because not only does software evolve, so does malware.

The persistent threat in question is the payload, which I think worked on all prior versions of windows, at least before XP SP3/Windows 7, (which was released October 09) WITHOUT a kernel driver, and I think it works in Windows 7 with the common kernel driver.

Regarding the present, today I said we found a remote file disclosure and remote read access that work on the latest versions of Sandboxie. If Sandboxie wants to buy bugfinding services, I'm sure we can find a working breakout attack.

hpmnick,

Go with XP SP2, I know the payload worked on that without even needing the kernel drivers.

 

XP SP3 was released in Q1-Q2 2008... How would that apply to late 2009?

I can go as far back on SP3 as you want, by uninstalling updates by date.. but SP2 is too far back, and it shouldn't apply in this case either..

 

Do you have currently a PoC that bypasses Sandboxie 3.54?

Answer with a "yes" or "no", please.

Sandboxie, by default, is designed to prevent writes to real system, not to prevent sandboxed applications reading information from disks.

So I ask again:

Do you have currently a PoC that writes to real disk and does it under Sandboxie 3.54?

Again I expect a "yes" or "no "answer".

 

You are still claiming this? Why??

To do so even after you have been corrected is a direct insult to the people in this thread. We are not stupid. We are capable of following a discussion. You claiming to have discovered "vulnerabilities" does not make it true. These are not things you discovered, they are the general operating parameters of the friggin' program.

Read the FAQ
http://www.sandboxie.com/index.php?FrequentlyAskedQuestions

Its all declared in there. What you "found this morning" was something you should have known if you bothered to understand the program in the first place..

The fact that we can all sit here and explain this to you, and to have you re-claim the same BS ten minutes later is very very insulting.

On top of that, we've gone from a multi-OS exploit that "can't be fixed" (your words not mine), to something that requires XP SP2 ... which was very outdated even when you supposedly performed the exploit!

I'm beginning to think that you are only here to insult our intelligence.

 

The only way Sandboxie can fail is if a sandboxed application is able to write to real system.

Do you have a malware that makes Sandboxie to fails or you are a troll that has something personal against that product?

 

Moderators: This thread should be closed because I consider it´s an attempt from SteveTX to trashtalk about Sandboxie without any proof.

It has been accepted that Sandboxie was vulnerable in the past but in the last 2 years nobody has been able to bypass it and with bypass I mean that a sandboxed application was able to write to real disk.

I don´t consider fair the use of a 2 years PoC to trashtalk about a product.

"sandboxie is moderately strong, but if it comes up against smarter or stronger malware, it severely fails."

And only for such comment SteveTX should be banned for some time, at least if he´s unable to prove true such comment.

My 2 cents.

 

Im not sure what any of your links prove or how they are relevant to this discussion. Link0- Is a paper on VM-Aware malware. Which is malware that detects its in a VM and does not run properly forcing someone to run it on the real system. This is not a bypass. Link 1- Shows a video demonstrating a weakness in IE8 sandbox. This is not Sandboxie or a VM. Link 2-Is a paper about the POSSIBILITY of malware bypassing a VM. No POC. Link 3-Well this link is dead for me.

Im not here to say I think Sandboxie is invincible because I know its not. But if Sandboxie is properly configured with Drop My Rights enabled etc.. I am unaware of any exploit published anywhere by anyone or any security expert that shows that Sandboxie can be bypassed. All I see after searching for hours online on security forums, hacking boards, security vendors etc is accusations like this with nothing to back it up. The same goes for VM bypasses. I have yet to see a clear bypass of a properly configured Sandboxie or VM. I would be very interested in seeing a piece of malware that does this. Is it possible? Possibly. I have yet to see it though.