AntiSandboxie/VM/KS etc Malware

Discussion in 'malware problems & news' started by StevieO, Sep 25, 2009.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Interesting bit of kit going around that, amongst other things, can supposedly bypass Sandboxie, VirtualPC and Keyscrambler ! I wonder how many people might get blasted with this ? Anyway, it pays to be alert.

    Quote -
    The features seem to work as described, for example the malware is undetectable by the Anubis sandbox system:

    http://techblog.avira.com/en/

    -

    The above link does NOT get you the toolkit, it ONLY describes it !
     

    Attached Files:

    Last edited by a moderator: Sep 25, 2009
  2. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    So what about HIPS? Can it get past that?
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi StevieO,

    From the article:

    Besides getting infected from downloading pirated software and keygens, are there any other exploits in the wild carrying this "kit?"

    thanks,

    -rich
     
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    cheater87

    I don't know for sure, but probably not, as i guess you should be alerted to various things that would start happening.

    Rmus


    Hi,

    I wasn't actually thinking of stupid people downloding cracks etc, but rather the people who use the Toolkit to TRY and implant the code to TRY and disable the listed software on others PC's.

    Sure it's probably going to mean someone clicking on something, and/or having Scripting/ActiveX etc enabled, i realise that. I just thought that some folks might be interested to know that such a Toolkit exists, and that Sandboxie etc COULD be disabled.

    Probably won't happen to people on here, but as over 3/4 Million people have Keyscrambler installed, who won't all visit places like this, there's a chance it COULD happen to them.

    Of course all the usual precautions you often speak about, would need to be bypassed, but unfortunately that's what happens multiple times every day to thousands of people out there in www.land.
     
  5. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    This one is actually a fairly boring malware, as usual. :)

    http://techblog.avira.com/2009/09/22/worm-instead-of-avira-keygen/en/

    As for bypassing Sandboxie or VirtualPC, I'm afraid it doesn't. All it does is include the usual anti-virtualization routine: this means the malware tries to detect when it's being executed in a virtual machine or a sandbox, and if it detects it is running in such a virtual environment, it does not do anything malicious, which then makes it seem more legit. Then, when the user takes it out of the sandbox and executes it on the real system with admin rights, now it obviously starts doing all kinds o' evil since it no longer has to pretend to be nice. Actually, the blog article has a nice screenshot of what the malware does in a sandbox: it gives an error and dies. Which, by the way, should be an instant giveaway that this is quite likely malware, just in case it wasn't a big enough giveaway that it was claiming to be a keygen...

    There are loads of security measures that would stop this. Firstly, of course, common sense: don't run keygens or any other software from untrusted sources. Beyond common sense, limited user accounts with SRP would stop it, any HIPS product that monitors execution of files would notice and warn about the additional malware executables the supposed keygen drops and executes, and so on and so on. Same old, same old. This is basically a social engineering attack: the malware pretends to be something people want (a keygen) and tries to look innocent (by not doing anything evil in a Sandboxie sandbox or Virtual PC virtual machine) so that people would give it admin privileges.

    Don't fall for this stuff. This is primitive. But, it's one of the many signs that people shouldn't trust sandboxes and virtual machines to tell whether a file is bad. Sometimes that works. Sometimes that doesn't work, and the result can be nasty.
     
  6. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Where does it say it can "supposedly bypass Sandboxie, VirtualPC"? and what does "anti" these things do? Does it bypass it or does it simply break when it detects these programs - like it does in the example with Anubus?


    Edit.... yeh Windchild, thought it was like that.
     
  7. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Windchild

    Quite right Sir, it is virtual etc detect after all my appologies. I looked at the screenie and saw the anti sandbox etc list and made the wrong assumption after seeing these also listed which it says it can do.

    Vista UAC Bypass
    - Run-as-admin Bypass

    dawgg

    We now know due to the above, Thanx
     
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    There are a lot of tools, crypters and toolkits such as this one if you know where to go that advertise FUD (fully undetected,) anti (x) capability, file binding, cloning...
     
  9. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    no of course not. default deny all other executables from running.

    Really the only safe way to obtain keys and cracks for payed software etc.
    is if you found a serial number provided on a notepad file where all you need to do is copy and paste the serial number, no risk of infection. 99 percent of ken gen and patches software which you need to run and install contain malware.
     
    Last edited: Sep 25, 2009
  10. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    More : Popular Malware Kits and Tools

     
  11. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    In Sandboxie you can not allow anything but the browser to run or what ever things you have in the white list. I'm sure that can help against this malware.
     
Loading...
Thread Status:
Not open for further replies.