Malware that possible ?bypassed SBIE

Yes, you are right as I think the dll names are randomly selected. I tried it twice now and dll in system32 folder was diffrent ineach time. Also in above snapshots we can see that when dll was denied to be created in system 32 folder, malware tried n tried to create the dll with so many diffrenet random names.


Anyway I can confrim that on my system too nothing seems to excape SBIE. Sorry guys for all this thread.

 

You are just emotional with a software. Otherwise I stated every thing very clear. There is a big Q mark on the thread title.

Noway i am against SBIE. I do like it.

 

I performed a search for: *.dll; created: today; in: \windows\system32

Search result: 0 files found.

 

It creates a single dll in system32 foider actually but it is contained by SDIE. Name of this dll is randomly slected.

 

So it might be true that jfiehayd.dll = qoMEuSJY.dll and the volume in bytes might be the same.

 

Could not check it.

 

I can tell how much you like it by the million or so screenshots of Geswall you've posted all over the place.

 

So, bottom line: both tests (mine and aigle's) show that SBIE succesfully contains this threat.

Are screenshots still needed?

 

Hi guys thanks for testing!
It is a win win whatever the results are so thankyou for the confirmation!
As you can watch from the link from aigles first post

or just trust the screen shots I'm having a leak.
another screen showing startup entries and files.

 

That's weird. Have you asked at SBIE forums?
What version of SBIE do you have?

 

Sandboxie 3.26 when I first noticed and yet to update - I emailed tzuk twice with all information and screens.

 

Maybe then it's possible that the malware actually bypassed SBIE. I tested v3.28

 

I don't know but here it is as malware23.avi and the rest show.

 

Sandboxie has nothing to do with this malware.
With all the years of using Sandboxie, never once has an infection 'escaped' from the sandbox.

This is just another tale of stupidity.

 

....lol

 

Malware can evolve, you know...
Malware writers get sneakier every day.

I rely almost only in SBIE, but to think that it will be always invincible...that would be just another tale of stupidity...

 

Hi worried guys i see no any mention of this bypasser on Tsuk forums recently,How serious and honest are you. take the guess out and post on his forum.

 

Are all of you testing with "default" sandbox settings in Sandboxie?

Also, when installing SBIE, you may need to reboot for the driver to install. It's probably best to reboot anyways. I'm aware the installation tells you this, but it may be the variable in the results.

 

Thanks for your comment innerpeace, yes I always reboot after an install.
I think the problem is specific to me somehow.

 

No default setting here. Tweaked as much as I could.
But I don't think it was that.
\System32\ protection is by default in SBIE.

I will try again later, with default settings.

 

For those who are interested,

I personally tested this sample against both DefenseWall(DW) and Primary Response SafeConnect(PRSC) "without" the protection of Returnil's "session lock". The former was successfully able to block and contain it while the latter was not. Before "rolling back" the malicious files and registry tracks that were created and marked as "untrusted", I took note and have listed them below.

C:\Users\Owner\AppData\Local\Temp\IXP000.TMP\
C:\Users\Owner\AppData\Local\Temp\install14564.exe
C:\Users\Owner\AppData\Local\Temp\setup.exe
C:\Users\Owner\AppData\Local\Temp\install17446.exe
C:\Users\Owner\AppData\Local\Temp\install6857.exe
C:\Users\Owner\AppData\Local\Temp\install48586.exe
C:\Users\Owner\AppData\Local\Temp\install2503.exe
C:\Users\Owner\AppData\Local\Temp\install19995.exe
C:\Windows\system32\vtUILFyy.dll
C:\wupdate.exe

Lastly, after performing the "rollback" which was accomplished within DW, I was able to confirm that my system was clean with the use of CureIt!, MBAM, Prevx CSI+ and SAS.


Peace & Gratitude,

CogitoErgoSum

 

Nice testing folksNow how about some classic hips tested or comodo D+ and spyware terminator hips.

 

I do not doubt sandboxie at all.off topic but I really love sandboxie but it kills my browser speeds on vista with IE7 badly.Never had that with XP