Malware that possible ?bypassed SBIE

Discussion in 'other anti-malware software' started by aigle, Jul 8, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It,s discussed partly here.

    https://www.wilderssecurity.com/showpost.php?p=1260340&postcount=29
    https://www.wilderssecurity.com/showthread.php?t=212092&page=5

    For obvious resons I am making a new thread. Here are the snapshots provided by Meriadoc. Thanks for his kindness, permission and the sample etc. :)

    Plese note that it,s still not 100% confirmed that the malware has really bypassed SBIE or it was an isolated phenomenon. So don,t crticize if later proven othersise... SBIE lover espoecialy. :D

    255MB video file download: http://rapidshare.de/files/39916359/malware23.avi.html
     

    Attached Files:

    Last edited by a moderator: Jul 8, 2008
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I tested CFP Defnce plus and GesWall against it. I mainly tested GW and allowed all popups by CFP, a lot of pop ups really.

    GW denied any dll/ file creation in System32 folder. All other files were isolated and tagged untrusted by GW. I deleted these files via GW isolated files explorer and run a full scan of C drive by MBAM. No infected file was detected.

    Snapshots are self explanatory I think.

    Sample aws run sandboxed but it was able to create a dll, jfiehayd.dll in system32 folder, out of sandbox. Some reg entries escaped the sandbox too and desktop was changed but as I said clearly findings are not confirmed by anotehr person though same findings were obtained twice by same person.

    2.jpg
    3.jpg
    4.jpg
    5.jpg
    1.jpg
     
    Last edited: Jul 8, 2008
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Still more!
     

    Attached Files:

    • 6.jpg
      6.jpg
      File size:
      57.8 KB
      Views:
      593
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GesWall, log is here.
     

    Attached Files:

  5. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Not a 100% sure but it was OK to use "bypassed SBIE" in the title thread, eh?:thumbd:

    And then you go on about every other app except Sandboxie.

    Not nice aigle!:mad:
     
  6. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    Doesn't the thread title say: Malware that possible ?bypassed SBIE. That seems alright to me.

    And anyway, you can just read the thread and Aigle clearly says that it is not certain.
     
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    I'm still shirty about it so gimme a sample of this malware.:mad: (please)
    install3051.exe
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Undoubtedly a reminder needs to be given periodically for even long time members that Wilders does not allow the trading of malware or the posting of malware links. Discussion is cool folks but let's do keep it within our Terms of Service o_O :cautious:
     
  9. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    The topic of this thread does not seem to fit the content of this thread. (If it doesn't fit, you must acquit.)

    Maybe I am dense, but I could NOT find the SBIE connection. All I found was tests of various security apps.

    Although I appreciate aigle doing these tests, I feel that the topic of this thread SEEMS inapplicable and unnecessarily negative. It is dangerously close to a false alarm (a la chicken little).
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Agree with Franklin & Bellgamin that the title is arbitrary, interesting read though
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    that thing is that wasnt clear enough but you know something that makes me
    wake up an smell the coffee and think that nothing is perfect;) so what i mean bypassed or not we need a second layer at least.whay i said this cause
    heard people at sandboxie forum that sandboxie is all they need or run.:D
     
  12. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    @Bellgamin and Kees

    The connection with SBIE is that apparently this malware was able to escape sandboxie. But it hasn't been tested again.
    Other security software results are shown.
    ~removed off topic comment....Bubba~ , hopefully I'll be able to test it tonight.
     
    Last edited by a moderator: Jul 8, 2008
  13. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Not only is comments concerning malware trading via PM off topic to any discussion here at Wilders, the actual act of malware trading or the posting of malware links is against our policy. Let's take the malware trading comments and the actual act to another site Please.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    @bellgamin
    @Kees

    Title of the thread is OK. You need to look at screenshots carefuly in my first post. I did not make this thread for a stunt. I only had no time to write a detailed description. I will try to write it in first post. Or may be somebody will post his findings.

    BTW Hurst got this point.
     
    Last edited: Jul 8, 2008
  15. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I believe you aigle BUT...

    I looked again at the screenshots in post#1 but saw no connection to SBIE. Saw no evidence that malware evaded SBIE.What am I looking for? What am I missing?
     
  16. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    yeah, title may be a tad bit confusing, but the facts of Geswall are right on. Sorry folks, but this is one software that wont die away. It can do it all and continues to prove it time and time again. I can use whatever I want, I have bought quite a few, but the bottom line is, the lack of intrusion of my daily web habits along with its great ability to nab malware, make it number 1 in my book. And the paid version is worth every penny, and in the future there,,,,,,,,,ooops, cant go there.;)
     
  17. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    OK
    test is done!
    I'm glad to say that SBIE has contained it.

    LOTS of processes launched inside the sandbox, and lots of activity.
    Some error popups (not from sandboxie).

    Deleted sandbox, and MBAM scan came out clean.

    I will post the screenshots later tonight.
     
    Last edited: Jul 8, 2008
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Strangely I am not able to edit my post no.1.

    Sample was run sandboxed but it was able to create a dll, jfiehayd.dll in system32 folder, out of sandbox. See first screenshot. Some reg entries escaped the sandbox too and desktop was changed but as I said clearly findings are not confirmed by anotehr person though same findings were obtained twice by same person.
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for testing. That,s good news. So there is something weired on first test system as it was tested twice with same results.

    OK, I will test it also myself later. BTW malware does not seem to have any special ability to bypass a sandbox.
     
  20. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    No sign of jfiehayd.dll on system32.
    Desktop hasn't changed.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Did u check for jfiehayd.dll inside sandbox before emptying it?
     
  22. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    No.
    But I'll retest to provide screenshots and will check for that file then.
     
  23. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    The only dll inside system32 in the sandbox is qoMEuSJY.dll
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Surprisingly also I don,t find any jfiehayd.dll. I will try to run it out of sandbox n see what happens.
     
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Maybe the malware renames its components automatically.
     
Loading...
Thread Status:
Not open for further replies.