How can malware break out of a sandbox?

Discussion in 'sandboxing & virtualization' started by IBadget, May 4, 2009.

Thread Status:
Not open for further replies.
  1. IBadget

    IBadget Registered Member

    Joined:
    Jan 14, 2009
    Posts:
    59
    Location:
    Waipahu, HI
    I have been thinking of ways that malware can break out of a sandbox. One way I have thought of is buffer overflow. Malware could use buffer overflow to inject shellcode into the sandboxing program, thereby causing the sandboxing program to make permanent changes to the real system. Malware could also use buffer overflow to inject shellcode into the kernel, thereby giving it higher privileges.

    Can anyone else think of other ways malware can break out of a sandbox? Thanks in advance for helping me and others understand how malware can break out of a sandbox.
     
  2. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    I know one way malware can cause permanent damage with Sandboxie. Like I posted in another thread about the zabypass.exe.

    as discussed in the other thread Sandboxie isn't designed to prevent running programs inside the sandbox from interacting and communicating with programs outside of the sandbox. As a result all the malware needs to do is give instructions to a program outside of the sandbox like a web browser and tell it to connect to a hackers server, then more malware would get downloaded to the users computer "OUTSIDE" of the Sandbox.
     
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    SteveTX says he has created malware that can break out of sandbox using activeX. Unfortunately he is not willing to share publically.

    It is an exciting time for malware, not an exciting time for anti-malware.
     
  4. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Just how is this malware getting into the sandbox to begin with? Who or what is executing it? If it can't run, it can't do damage so other security software is recommended. I personally like having an AV and HIPS around in case I screw up.

    As far as buffer overflows, wouldn't DEP protect against this.

    I'm not sure why your worrying so much about this. Keep your programs updated, configure Sandoxie properly, add another security program you like and relax. If you want another layer enable the protection of a light virtualization app like Returnil. If you get bit, big deal. Just restore an image of your system and data. All this can be adjusted to meet your personal habits and your level of comfort for that "warm and fuzzy feeling".
     
  5. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    I think a lot of people especially on these forums would have activeX on their browsers disabled, I know I do.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Sorry Ibadget, but this is no different then the other thread you started. We aren't going down this road again.

    Thread Closed.
     
Loading...
Thread Status:
Not open for further replies.