Studying Malware in a Virtual Machine - Dangers, Precautions

Which executable, the initial sandbox breakout or the payload? Presuming you mean the sandbox, the executable wasn't a direct executable, it was something a little more clever and in keeping with Sandboxie's stated operational use:

Peter, nobody doubts a claim when someone reports that a virus slipped by their antivirus software. This isn't any different, as far as I can tell the difference is nobody seems to have informed anyone here about the existence of sandbox/vm vulnerabilities. In the prior post I detailed the attack type and the resultant payload and gave public examples of everything needed to accomplish it both from a sandbox or a vm, and a small article about the field of vm malware.

Specifics aren't particularly important because the specific exploit used may change, but the attack is the same. Just like what kind of message a scammer sends about the money you inherited/won/held in escrow, the details may change but it is still the same scam. The PoC we used in the 2009 version of Sandboxie may not work in the latest version or the latest windows or otherwise. However, it proves the attack historically, and merely by changing the exploit specifics to something that does work, the attack is resurrected.

This is because the underlying vulnerability never disappeared: encouraging unsafe behaviors in an inadequately secured environment. Testing malware in an inadequately protected sandbox or vm is not a good idea.

 

Steve, part of the problem is that very little is said publicly about attacks on and vulnerabilities in these types of applications. It's still a niche market, and you certainly won't find tests and reviews in the normal places you would other security apps. AV bypasses are so public because it's the most common form of protection, and, people are used to malware authors tweaking their creations to go undetected by such apps. Outside of Wilders and other security forums, you're very likely to have to search a while just to find anyone who even knows Sandboxie exists, let alone what it is and how it works. Therefore, very few know how vulnerable such apps may be.

The attacks will come, and a lot of folks will get knocked off their clouds when they do come.

 

that sounds reassuring.

well, as long as i can boot from a CD/DVD disk and 0 the HD i should be ok.

 

Well, facts have to be faced here. Nothing is created that can't be destroyed, and the harder the war against malware is fought, the harder malware authors will fight back. Nobody is "safe", everything depends on how much of a target you are. If bigger targets use better security, then common sense will tell you that those better security measures will be attacked harder. Malware authors aren't all that concerned over AVs and "Anti-Spyware", they won that war. Virtualization though, they'll want in on that.

 

*Sigh* Good 'ol Wilders.

 

As the original poster I find all this fascinating. Since I happened to have an old machine laying around I went ahead and set it up for exclusive malware testing. Assuming I take other machines off the network at the time I'm using it, I believe I should be fine. (Correct?)

However, the old machine is underpowered, and testing in a virtual machine would be more convenient. Acknowledging that there is the theoretical possibility of malware escaping the VM, are there additional specific steps that you all would recommend to minimize the risk? (Again, thanks to CogitoTesting, Searching, MrBrian, and J_L for their previous suggestions, and SteveTX for his cautions.)

Regards.

 

Sorry if I'm still skeptical, but you aren't even providing any technical details. Through what mechanism does this break out of the sandbox? What do you mean by "the vulnerability exists in the trust model of the OS". How does the same flaw exist across various platforms? There is a distinct lack of detail here.

In all honesty, it looks like you are trying to make trumped up claims in an attempt to draw attention to your own product. If so, this would be a serious offense. Some of us take security rather seriously, and intentionally reporting non-existent vulnerabilities is not taken lightly.

I would encourage you to start being more forthcoming. Now that you've made these claims, to provide anything less than a working PoC might lead to a pretty negative stigma and possibly become a great embarrassment in the future. I'm not much of a business man, but the last thing I would want is the reputation of being a liar...

 

Will I be allowed to prove it?

Peter, I don't bluff, you should have accepted my terms to review the code privately, instead of publicly impugning my integrity. Just remember, you called down the fire, don't back-peddle now.

I request the permission to post on this forum, live malicious code and demonstrations, for all to see for themselves, without moderation or censorship.

 

I've slept a bit and have had more time to ponder this situation. First of all, my "sigh" was simply because Stapps response reminded me of the ever-increasing attitude that some are showing more of around here lately, and not just in this thread. It's completely off-topic so I won't linger anymore on it. Stapp and you do have a point though. While I don't live in DC, I've worked there often enough and with enough sensitive information to agree wholeheartedly with you.

Again, I have to stress that if this POC does exist, and Steve wasn't ready to divulge, he should have kept quiet. While I'm not ready to burn him at the stake like some seem to be, I have my questions, and, actually, as I mentioned in a previous post, I always have. If vendors were notified, and they blew it off..why? Why are the researchers that are involved refusing to be named? Why is there such secrecy behind it, and why has it been shelved for two years?

Does this POC affect software that 3-letter intelligence agencies are using..are these researchers a part of these agencies? If POCs are publicly shown all the time regarding other security measures..why not for a virtualization app? Why is he waiting until after he unveils one of his products to talk more about or show this deadly POC? If this POC exists, and is this dangerous, it won't matter if it no longer works, the concept is there, and waiting until some stupid little privacy browser of his is unveiled to show us said concept is admittedly suspicious and really just wrong.

Will this "Safehouse" be another "no other vendor is safe and/or does it right but us" type of deal that his VPN service seems to be? @Steve: I'm trying to be a bit nicer than the rest about this whole thing, because I've no clue about your particular circumstances. But, my advice, is that if you have this thing, it's time. It won't interrupt your getting Safehouse ready to upload a video here or at least provide a post with some further techie details. The more you drag this out and continue to talk about it, without showing more, the angrier the mob is going to get, and the more your credibility is going to take a beating. It's time.

At the rest, if I end up being wrong about the guy, and he ends up being a marketing guy blowing a lot of hot air, I'll personally put a post in the appropriate place on the forum, dedicated to me admitting I was wrong and got fooled.

 

Re: Will I be allowed to prove it?

I would like to take a look and run this privately myself if you are willing. If you PM me and leave a download link to a neutral site (rapidshare, etc), include any instructions and the expected outcome, and I will gladly test the PoC.

 

Re: Will I be allowed to prove it?

Trying to throw the mod under the bus isn't going to help things now. In reality, you brought the fire by talking about a POC you, if you want to get right down to it, evidently weren't supposed to talk about. If you want this to be out in the public, then what "terms" are you referring to? Posting live, malicious code here? They aren't going to do that, Steve. Some numbnut will decide to play researcher when they've no clue what they are doing, and then they'll blame Wilders, and, well, you surely see how all that will go down.

 

Sorry this has turned into a train wreck, lol. But to answer your questions as best I can. Yes, if you took that system off of your network, it wouldn't hurt your other systems. If you really want to start this testing, then yes, you do need to be aware that there are "sandbox-aware" malware out there that will sit quietly and twiddle its thumbs until it's out of the sandbox. And, yes, sandboxes and virtual environments have been compromised before. The very best thing you can do, if it can be done, is to use that old system for the lab work. Take it off the network, put your virtual environment on along with other security apps like of course AVs, anti-malwares, and, after making a clean image of the system and storing it outside of the test system, go to town on your testing.

It is extremely important that you have a clean image to get back on your feet with, no matter what system you use for the tests. All security measures can fail, so you need to have that image tucked safely away and ready to go.

 

I'm probably not the most appropriate one to step up in this discussion but wouldn't it be best for all, to take a time-out?
Say, 48 hours and then continue with this thread?

To be honest, if I understand correctly, the PoC mentioned by SteveTX was aimed at SBIE specifically.
Not necessarily at all sandboxing/virtualization programs.
I also remember SteveTX mentioning having informed Tzuk about this specific POC.
So, the one vendor involved was actually informed (at least to a certain degree).
Other security software vendors like McAfee and Symantec have also been named by SteveTX as in offering zero protection against this Mother of all Malware/MOAM PoC but afaik only SBie has been mentioned as being actually tested.

I don't feel any need to defend SteveTX and no, I'm not one of the seemingly infatuated Xerobank customers. (I'm not a customer at all to be precise)
The 'announcement' of this PoC hasn't been very 'Par for the course' and surely we all would like to see the evidence asap.
But only in a responsible fashion I'd pressume so perhaps let's not let emotions get the better of ourselves?

 

I believe he said virtual environments, and, he also mentioned VMWare. As for "cooling off", I do believe that boat long has sailed, lol. It'll end one way or another soon enough. Either the proof will be shown and it'll be gone over with the finest-toothed comb you ever saw in your life...or it'll either be shown to not exist or be shown to not be a big deal.

 

dw426,

Mods should stay out of discussions, and definitely shouldn't be making accusations, because they speak with the authority of the forum.

Peter made a bad move, and now needs to accept the consequences and be prepared to eat his words in the same fashion he gave them out.

----

For those of you concerned about live malicious code, I'll provide an explanation of what the PoCs do. Most of them are harmless because there is no payload attached, but they are working exploits against Sandboxie. The main thing I think Peter was balking at was the 2009 PoC payload that could agnostically and undetectably destroy an OS, which I will also release.

The sandboxie breakout is trivial, infact we discovered a sandboxie remote file disclosure and remote file deletion just this morning. Btw, remote file disclosure means a website can read files off your drive remotely, like your passwords/docs/photos. Remote file deletion bug we found destroys the sandbox and all data inside it.

 

Has anyone received the code as of yet? I'm just curious. I'm enjoying the back and forth banter too much.

 

Re: Will I be allowed to prove it?

LowWaterMark, this was my exact comment to Peter. I told him it was too caustic to release publicly. He privately demanded the code and threatened to ban me if I didn't provide it to him. I offered him fair terms under which he could test it so there was no bias and he declined, you can read my private messages with him, it is all there. But he refused and decided to call me a liar, and I'm happy to call his bluff.

Don't let your mods write checks with your forum that you aren't prepared to cash.

 

For the life of me, I can't figure out why this thread hasn't been locked-down yet.

SteveTX is nothing but a Troll who likes to get attention, and with a thread like this, you're giving him exactly what he wants.

You guys seem to like getting your Chain yanked.

Ken:

 

Re: Will I be allowed to prove it?

Request granted. Peter contacted me, said he wanted the code, and specifically referenced BSA_Buster's suggestion, which was having a mod present the ultimatum of providing the code and banning me if I refused.

Having someone contact me to request the code would be one thing. Having someone who actually has banning power contact me and directly reference an ultimatum is different.

I don't mind being called on such a claim. Infact multiple times I said I would be happy to provide video and the actual PoC when I've got time to load it up into a solid test environment.

I'll disagree. I've got a mod publicly calling me a liar and challenging my integrity.

Happy to. Have Matousec contact me.

 

I'm going to be staying out of this now since it's at the point where the Admin is getting involved. But, to reply to you, it's kind of a mods job to be involved, plus, just because they are the "overseers", doesn't mean they should stay in the background, especially if they have some insight into a discussion or experience in a particular topic. As far as Pete, well, the business between him and you is none of mine. But, from reading his post, he's not making any more serious of an accusation or has any more skepticism than others in this thread who haven't already spoken up. In all honesty, you seemed to be the first one to make public mention of a private conversation between you and Pete about the code, and calling him out.

But anyway, I'll be sitting on the sidelines now watching unless I'm directly spoken to.