Discussion in 'sandboxing & virtualization' started by tlu, Mar 11, 2014.
Hmmmm, just a cursory read makes it sound like malware authors target Sandboxie. I was under the assumption that Sandboxie is essentially impenetrable, but is it
Someone posted the PDF at the SBIE forum a few days ago.
1. No security solution is 100% impenetrable.
2. The study talks about detecting the VM/sandbox presence, not about attacking one. This is important for malware in order to avoid analysis, but it is not related to VM/sandbox software being vulnerable.
From 2008 paper "Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware":
Malware usually can detect when its running in a sandbox, this is why when I read someone saying that the only time that they use Sandboxie is to run "suspicious files" (something that happens too often).....I shake my head left to right and go, "Oh man".
AFAIK there are only a few malware which are smart enough to know if they are running in a virtualized environment. But I understand your point. Everything is suspicious. Heck, even Windows itself can be suspicious if it constantly uses 70% CPU usage for no apparent reason.
Sandboxie motto is "Trust no program". To me, thats like a law but my point really is that it can not be assumed that a program or file is clean and can be trusted just because it don't do nothing when running under SBIE. I think people that uses Sandboxie to determine if a program or file that they consider suspicious can be trusted and can be run or installed out of the sandbox are gonna be burnt one day.
From Symantec whitepaper "Threats to Virtual Environments" (2014):
Paper download: hxxp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/threats_to_virtual_environments.pdf .
Tzuk addressed this way back and basically said it was difficult to mask operation in Sandboxie. The same thing applies to VMs.
And I quite agree that it's not sensible to test malware in Sandboxie.
If anything, it's a mark of popularity that malware is now testing for Sandboxie as well as VMs. But my understanding was that this was detection, and used so that the malware would NOT attempt to do what it normally did.
What the paper is very weak on, is any credible information on what would be big news, an actual attack on Sandboxie itself, or even worse, attacks on VMs (which, after all, run the majority of web services in data centers). Unless that can be demonstrated, this is not news.
Separate names with a comma.