I Can See Underbelly Of The Net With SANDBOXIE!!

Discussion in 'sandboxing & virtualization' started by cortez, Feb 23, 2008.

Thread Status:
Not open for further replies.
  1. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Neither your AV, HIPS or FW.
    XSS events without involvement of the local filesystem
     
  2. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Thanks Lucas,

    Well, this is again something that requires a script to be executed within the web browser, it also requires the web browser to have auto password input enabled.

    Using Firefox with NoScript would have blocked the event, as the script would have to be authorized prior to it being able to perform the task. this would have allowed the user to easily identify the spoof. Since this is via a spoof site, there are multiple method to defend against such...

    This is another reason I recommend on my site that users should use the following:

    1- Firefox + Noscript ( Would have blocked the script from executing in the first place)
    2 - Linkscanner Pro ( It would have pre scanned the site for XSS and weird scripts and issues a warning if not outright blocked it)
    3 - McAfee Site Advisor (Would have issued a Red Flag as others might have already been hit and may have reported it already - or blocked it as well)
    4 - Run the whole thing inside a sandbox

    As these effectively combat those types of infections, one sort works as a failsafe for the other. I know it sounds rash, but it is effective nonetheless.

    Sometimes when I visit sites and I'm unsure, I'll even open it in firebug to read the script first just to be safe... ( You can still read blocked scripts)
    for those interested in learning about scripts: Http://www.getfirebug.com
     
    Last edited: Mar 9, 2008
  3. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    If Firefox and Noscript does its job properly and I think it does then as far as XSS is concerned does Sandboxie add anything ?
     
  4. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Well, I think the issue, is that your web browser is not the only applications you could run inside of a sandbox... I run winamp and some other tools. It is an awesome system against executables one downloads into the system...

    I think though that the use of a sandbox alone is over rated given that there are many reasons why users would want to download and try applications on their computers... Its necessary for most to have a good av besides the tools I stated above as a result, besides the obvious risks associated with web browsers and their latent vulnerabilities... Even as they run within a sandbox.
     
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Not really. Crossing the boundaries of domain restrictions means that a site performing XSS can grab info from the cookies (example, the login credentials of forums or something more serious) without any auto-filler involved.
    As you said, NoScript is the best (and only?) protection against these threats. A tight firewall ruleset helps against some types of XSS and common sense also helps (don't click on random links even if they are from reputable sites)
    In theory no. But you can make a mistake with NoScript and if remote code execution takes place, SBIE (or another sandbox) will contain the dropped files inside the container.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Personally I believe, some body can be quiet safe even with a single security application. All that matters is how u use ur PC. I don,t mind if some one feels him safe only with a single appication.
    As lucas posted. XSS can steal data without executing any thing (just by browser JS).

    It,s not long ago when there was a POC posted by some memeber on ZoneAlarm site.
     
  7. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Yes but a script must be processed by the browser to extract the data and use it... that event must be interpreted by the browser, and as such easily blocked by Noscript. Given that the user does not authorize the script he is fine.

    Good advice!
    Actually Linkscanner Pro does offer XSS protections, and it has a black list as do SiteAdvisor, they will protect you but with a bit of laag.

    Just a passing remark, I had my first SQL Injection attack on my web site 2 days ago... Easily blocked, and now run rabbit run!
    The point is that they are scanning for any vulnerabilities they can exploit...
     
    Last edited: Mar 9, 2008
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Correct. If it doesn't execute (browser scripts, system scripts, macros, binaries/executables) it can't do any harm.
    The database of SiteAdvisor is pretty much obsolete (excepting the obvious crack/warez/porn sites). It's way behind the speed of the movements of the malware crocks.
    I also doubt that Link Scanner will detect a simple redirect script on a trusted site if it doesn't involve remote code execution.
    XSS open a whole new kind of threats, web-based threats (and multi-platform) which can be made very specific and target small subsets of populations. Most users still think of the threat of remote code execution (i.e. dropping/launching a new, unauthorized executable) when the next generation of threats is already present.
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Hope that your hosting provider has a speedy patch policy and a stringent password policy at least.
     
  10. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Executed no... but Interpreted yes.
    See no matter what the script is... It's a text file or a simple block of embedded text, we can refer to it as a script... the browser must interpret that text to understand what it is...

    Each script must identify themselves to the browser for the browser to know what engine to feed it too, ie Java, VB, Ajax or flash and so on... This is where NoScript intercept the scripts, right at it's opening statement...

    It's a wonderfully simple way to provide protection... isn't it? Nip it right in the bud... :D
     
  11. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    A run tool that records all the injection attempts, and documents them as well as block them...

    These bozos are gonna be famous! :cool:
     
  12. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I have been wondering a bit about the laag behind Linkscanner Pro in detection rate... I find it misses roughly 40 % of the infected/Bad sites I visit.
    Still it catches quite a few considering the nature of what it does...
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Yup, Link Scanner is way ahead of the competition (simple databases like SiteAdvisor) but I don't know how many exploit sites it miss. I think that LS is a good tool for those who don't use NoScript or surf the web wildly.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I would totally agree. I run Sandboxie with Online Armor. I also set browsers and Email clients in Online Armor to run with lower rights. As backup I also run either SSM or Prosecurity. I don't run any scanning software.

    Pete
     
  15. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Hello Pete,
    I guess you must be using virusttotal.com or jyoti to scan executables you need extracted from the sandbox?
     
  16. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    So very true. How can you tell if something contains a virus when you recovery it from the Sandbox. I scan all files before opening or executing.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    I am using only CFP n GW.

    I have to stop myself from adding TF to this set up. I am happy to cut it down to two only.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Depends on from where I get it. I just downloaded a new exe from the Prosecurity site. Didn't bother scanning. OTOH, yesterday, I downloaded a new program, that I got from a site I found by google. Scanned it on Kaspersky, Jotti, and then tried it first in my VM machine.
     
  19. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Downloading WindowBlinds skins and wallpapers and Nvidia drivers at a rate of 5 per day is not "tons of stuff", it's milligrams. And it is not "The underbelly of the web" by any measure. If you want to scan it, then fine. But you are tearing up an entire program based on some perceived problem that has about as much likelihood of happening as hitting the lotto at exactly 2:00PM on Tuesday. I have downloaded many programs from trusted sites and vendors and never once had a problem. Am I saying to discard those things? No, of course not. But around here it is the Holy Grail - "OMG, how would you know?” How would you know even after scanning? Let me know when scanning an executable from a known trusted site or vendor site turns up a virus alert. And I will show you a false positive. Besides all of that, most 'normal' users are up to speed on the programs they enjoy and don't actually install 'tons of stuff' everyday.

    It's web browsing and email attachments and zero day exploits where the problems are. And coincidentally are the primary strengths of Sandboxie.
     
  20. Dieselman

    Dieselman Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    795
    Read my other posts. I use web based email which is safer then pop3. I also surf everything and download mp3's and torretns. Not one infection. I did download a Windowblinds skin about 6 years ago or so and it contained a virus. I got it from skinbase.org and not Wincustomize. I emailed skinbase and the next day they were flooded with complaints so they took the file down. Ever since I scan everyting no matter what it is. I was also using Mcafee back then and not NOD32 like I am now.
     
  21. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Not anymore. IE7 is, even out of the box, immune to many arbitrary code execution exploits. Even with a copy of IE6 + OE6 gone unpatched for six years, I have to do real work finding an exploit that works.

    The shift has gone into social engineering, because exploits aren't working with much reliability anymore, even on systems with minimal security patches. Ecards, porn video codecs and rogue antispyware apps are all the rage these days.
     
  22. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Agreed! I don't get into that as much for fear of the Fx thought police. I, and every company that I deal with, use IE. And every computer person on staff at those company's recco IE. I actually do not trust Microsoft as far as I could throw them and would probably use Opera, all things being equal. But with the addition of Sandboxie, I see no compelling reason to change.
     
  23. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    The bad guys are releasing poor code, no doubt :D
    It seems that the bad guys put too much work on the payload (surviving, snooping, networking, etc) than on coding good exploits. Then, they rely on exploit toolkits for the distribution of their masterpieces.
    And these are good news to security-savvy people, because avoiding the rogue codecs, the fake ads and the phony links/attachments protects you against a good amount of malware.
     
  24. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    There's always idiots and amateurs in every field. For the really dumb ones, you have to laugh because otherwise you'll cry. For instance, I once saw a Themida-repacked Hupigon variant where the user had apparently used a trial version of the packer, and the Themida splash screen reminding the user to buy the full version was prominently displayed when I tried to execute the trojan.

    There's still good exploit code out there. Some VERY good ones that I have to spend weekends puzzling over how to decrypt. And even then, most of the poorly-obfuscated ones DO work when they're put against a vulnerable system (trust me, anyone with half a brain cell tests their stuff before releasing it), it's just that vulnerable systems are getting more and more rare.
     
  25. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    LOL
    Well, if the default ICF of XP SP2 meant the end of network worms, widespread adoption of automatic updates could spell the end of uber easy and high profit exploits.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.