Internet Acess Control in Sandboxes and malware

Discussion in 'sandboxing & virtualization' started by aigle, Jul 17, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Sandboxes are popular among Wilders members who use them exclusively as a security measure or in different combinations with other antimalware software.

    An important aspect of these Sanbozes is that: None of them limits the intenet access of sandboxed applications by default. Obvious reason is that the Sandboxes are used to protect internet facing applications and addition of Internet Access Control might add complexity for a norma sandbox user.

    However in my opinion Internet Access Control is very important in a sandbox and the complexity of this feature can be over come by adding a default DENY rule for all applicatiosn while specifying exemptions for common applications like Browsers, Mail Clients and Messengers etc.

    I did a very small experiment with twoi internet worms:

    1- NetSky worm
    2- Warezo worm

    Both of these are mass mailing worms with their own SMTP engines. I used then in GesWall and SafeSpace with default rules. Both were able to execute within the sandbox and they were able to send malicious mails while running in the Sandbox. A reboot of PC/ Termination of all sandboxed applications/ Cleaning of Sandbox contents would have stopped this behaviour but at least the two worms were able to send malicious mail during the session until I killed them or rebooted my PC.

    Here are some screenshots to explain, first for Netsky worm.
     

    Attached Files:

  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Here are same screenshots for Warezo worm.

    07-17_0040.jpg
    07-17_0042.jpg
    tpup GW mailinmjg.jpg
    tpup cfp 2.jpg
     
    Last edited: Jul 17, 2008
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Now I made a Rule in GW to DENY internet access for any application running in GW, while allowing internet access for my browsers etc
    See my post here for deatlis.

    https://www.wilderssecurity.com/showpost.php?p=1279672&postcount=42

    Down are the screenshots shwoing that Network Access is denied for both worms. No e-mails sent by both worms obviously. GW logs are attached as well.
     

    Attached Files:

    Last edited: Jul 17, 2008
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    With SafeSpace, also both worms were able to run and send e-mails.

    Unfortunately there seems no way to add custom rules in SafeSpace to deny such malicious actions( atleast I am not aware of it).
     

    Attached Files:

  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    This is just one example, I think in the same way, a malware can leak personla data from a sandbox if Internet Access Control is absent in a Sandbox.
     
  6. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Very interesting this Aigle. If I'm not mistaken SandboxIE also offers the possibility to limit the number of programs/executables that can run in a sandbox.

    I believe you can configure it so that only your browser is allowed Internet Access (IE/Firefox) etc. and no other applications/executables.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes I think SBIE has two options.

    1- Deny internet access for all sandboxed applications except those spoecified
    2- Deny execution of all programs in one sandbox exccet those specified.

    Double protection IMO. :thumb:
     
  8. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Here's a kraken botnet test I did with Sandboxie set where only allowed apps can run and connect out.

    First try to unrar the malware stopped cold.

    Unrarred the malware to desktop then tried to run it Sandboxed and it was stopped cold.
    Sandboxie Winrar.JPG
    Kraken.JPG
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can u test about Intenet Access also? I mean just allow to execute but deny to access intenet.
     
  10. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Setup another sandbox with no restrictions.

    On first install of Kraken there was some inet activity and it's process was running in the sandbox.Terminated all processess and deleted the contents which Sandboxie seemed to have no problems doing.

    On the second install of Kraken I set the sandbox that only FF could use inet resources with Kraken seeming to install then couldn't instigate any inet activity and went dormant.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Franklin.
     
  12. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Real danger is some hijack the browser,luckely we have '' restricted '' Wraitdu rules with SBIE,so nothing can escape.
     
  13. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Hi Huupi, can you post or PM me those rules?
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    As I know with GW or DW, browser can,t be hijacked by an untruted/ isolated malware, even on default configuration.
     
  15. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Hi aigle.
    Thanks for another interesting test.:thumb: :thumb:
    With Sandboxie, with certain rules, you get a "default deny" internet conncetion, and just the apps that you configured to do so can reach out.

    And Ilya has said that in a future version, DW will have outbound control for untrusted apps.
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    As allways DW has a built-in and simpler solution for this problem.

    DefenseWall has resource protection, meaning it puts a policy wall between untrusted application (so by default it is okay). You can even strengthen your defense further by adding you WAB (wndows address book) and email directory as additional protected resources to your email application.

    Another advantage of DW is that you do not have to enter rules with dificult questions/syntax, just standard Windows communication dialog are used to add these additional resources (via the click and browse metaphore).

    Regards Kees
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Repeat this test with your e-mail application also sandboxed :D :oops:
     
  18. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Kees why don't you run the test with both your e-mail app and Kraken as trusted.:D :'(
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So what is the conclusion? Aorry as I did not understand what you want to say. Will it stop the mails by these worms or not, using default configuration.
     
  20. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    sorry to bump this thread but I have just paid for the registered version.

    I have found the Deny internet access for all sandboxed applications except those specified settings.


    But I can't find Deny execution of all programs in one sandbox exccet those specified. setting where is ito_O
     
  21. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Hi All

    I was very interested in the commentary in the preceding posts.

    What I would like to know is this:

    1) If you have Sandboxie set up to allow only Firefox to run in it using Process groups <restricted> etc

    2) Then you add DownloadStatusBar to Firefox as an addon.

    In 2) above there is an option to activate your antivirus on download of any program/file. The problem is if Avast is used, ashquick.exe needs an exception to the process group to allow it to run.

    Like so:
    ProcessGroup=restricted1>,firefox.exe,Start.exe,SandboxieDcomLaunch.exe,SandboxieRpcSs.exe,ashQuick.exe

    Question

    In allowing this exception ashquick.exe to run un the sandbox, on the one hand it gives a benefit (of scanning a file) but on the other is there any disadvantage in that Firefox is not now the only exe that can run. Could ashquick.exe be used for malicious purposes?

    Thanks

    Terry
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Franklin,

    That is the point: can SBIE isolate sandboxed processes from each other. When your mail application is outsied the sandbox and the malware is in, it is easy. It is more difficult when both are in the sandbox.

    So seriously I ask, would you please test again?
     
  23. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    As from version 2.45 it will, because Resource Protection draws a policy restriction wall between untrusted processes. Resource Protection has teh same options as GeSWall console, except for the device option. DW does not have the outbound protection option of GeSWall, but leaktest will fail (like with GeSWall). For Power users DW can be tweaked to the same extend as GW, only Ilya is implementing most of the tweaks suggested by Power Users, SO BELIEVE IT OR NOT, DEFENSE WALL IS THE ONLY SECURITY APPLICATION RUNNING WITH DEFAULT SETTINGS :'( :'( :'(

    NB. I am on the GeSwall image to refresh my rusty knowledge of GeSWall. I hope the GW guys will survive, because GW and DW pick up good ideas of each other

    Regards Kees
     
    Last edited: Jul 24, 2008
Loading...
Thread Status:
Not open for further replies.