AntiSandboxie/VM/KS etc Malware

Interesting bit of kit going around that, amongst other things, can supposedly bypass Sandboxie, VirtualPC and Keyscrambler ! I wonder how many people might get blasted with this ? Anyway, it pays to be alert.

Quote -

The features seem to work as described, for example the malware is undetectable by the Anubis sandbox system:

http://techblog.avira.com/en/

-

The above link does NOT get you the toolkit, it ONLY describes it !

 

So what about HIPS? Can it get past that?

 

Hi StevieO,

From the article:

Besides getting infected from downloading pirated software and keygens, are there any other exploits in the wild carrying this "kit?"

thanks,

-rich

 

cheater87

I don't know for sure, but probably not, as i guess you should be alerted to various things that would start happening.

Rmus

Hi,

I wasn't actually thinking of stupid people downloding cracks etc, but rather the people who use the Toolkit to TRY and implant the code to TRY and disable the listed software on others PC's.

Sure it's probably going to mean someone clicking on something, and/or having Scripting/ActiveX etc enabled, i realise that. I just thought that some folks might be interested to know that such a Toolkit exists, and that Sandboxie etc COULD be disabled.

Probably won't happen to people on here, but as over 3/4 Million people have Keyscrambler installed, who won't all visit places like this, there's a chance it COULD happen to them.

Of course all the usual precautions you often speak about, would need to be bypassed, but unfortunately that's what happens multiple times every day to thousands of people out there in www.land.

 

This one is actually a fairly boring malware, as usual.

http://techblog.avira.com/2009/09/22/worm-instead-of-avira-keygen/en/

As for bypassing Sandboxie or VirtualPC, I'm afraid it doesn't. All it does is include the usual anti-virtualization routine: this means the malware tries to detect when it's being executed in a virtual machine or a sandbox, and if it detects it is running in such a virtual environment, it does not do anything malicious, which then makes it seem more legit. Then, when the user takes it out of the sandbox and executes it on the real system with admin rights, now it obviously starts doing all kinds o' evil since it no longer has to pretend to be nice. Actually, the blog article has a nice screenshot of what the malware does in a sandbox: it gives an error and dies. Which, by the way, should be an instant giveaway that this is quite likely malware, just in case it wasn't a big enough giveaway that it was claiming to be a keygen...

There are loads of security measures that would stop this. Firstly, of course, common sense: don't run keygens or any other software from untrusted sources. Beyond common sense, limited user accounts with SRP would stop it, any HIPS product that monitors execution of files would notice and warn about the additional malware executables the supposed keygen drops and executes, and so on and so on. Same old, same old. This is basically a social engineering attack: the malware pretends to be something people want (a keygen) and tries to look innocent (by not doing anything evil in a Sandboxie sandbox or Virtual PC virtual machine) so that people would give it admin privileges.

Don't fall for this stuff. This is primitive. But, it's one of the many signs that people shouldn't trust sandboxes and virtual machines to tell whether a file is bad. Sometimes that works. Sometimes that doesn't work, and the result can be nasty.

 

Where does it say it can "supposedly bypass Sandboxie, VirtualPC"? and what does "anti" these things do? Does it bypass it or does it simply break when it detects these programs - like it does in the example with Anubus?


Edit.... yeh Windchild, thought it was like that.

 

Windchild

Quite right Sir, it is virtual etc detect after all my appologies. I looked at the screenie and saw the anti sandbox etc list and made the wrong assumption after seeing these also listed which it says it can do.

Vista UAC Bypass
- Run-as-admin Bypass

dawgg

We now know due to the above, Thanx

 

There are a lot of tools, crypters and toolkits such as this one if you know where to go that advertise FUD (fully undetected,) anti (x) capability, file binding, cloning...

 

no of course not. default deny all other executables from running.

Really the only safe way to obtain keys and cracks for payed software etc.
is if you found a serial number provided on a notepad file where all you need to do is copy and paste the serial number, no risk of infection. 99 percent of ken gen and patches software which you need to run and install contain malware.

 

More : Popular Malware Kits and Tools

 

In Sandboxie you can not allow anything but the browser to run or what ever things you have in the white list. I'm sure that can help against this malware.