New sandbox/virtulization bypass under ring3

Discussion in 'sandboxing & virtualization' started by R8y, Dec 22, 2007.

Thread Status:
Not open for further replies.
  1. R8y

    R8y Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    33
    Location:
    South Africa
    Bypass such protection without using any drivers. Works in Ring3 and will destroy the first 4kb data on HD. Don't want to test it on my PC, still need it for Christmas :eek:
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I've been trying to search for this sample for the past 3 hours... without success. If you have it, send it to me via PM, and I'll be more than happy to test it out.
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I've just found a copy of this.

    ThreatFire has zero capability to protect against low-level write access, and fails, as expected.

    Returnil 1.7.0.7502 is immune to this attack.
     

    Attached Files:

  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Solcroft,
    Can you test it against Sandboxie and GeSWall?
    What's the difference between this and KillDisk?
    Thanks :)
     
  5. R8y

    R8y Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    33
    Location:
    South Africa
    Solcroft only has Threatfire and Returnil. But I know Sandboxie passed this test.
    This is just a friendly POC, I have noticed that there's a better version which will bypass all HIPS and Virtulization software/hardware currently available. And yes, I don't have a copy of this one because it costs USD 50,000 :oops:
     
    Last edited: Dec 22, 2007
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    The difference between this one and KillDisk is that this one claims to bypass ISR software, right from ring3 without having to load any drivers, etc.

    Although after abit of further analysis on this program, I'm beginning to wonder how far this claim is true.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Well even if it is true it wouldn't be the first time something like this POC is been compiled to work from userland, and in this case carry out maximum disruption from higher level.
     
  8. herbalist

    herbalist Guest

    Could someone send me a copy of this? I'd like to test SSM with it.
    Rick
     
  9. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    I would also like a copy of this as I would like to test it against latest version of Returnil 2.0.0.2621 which protects against low level sector fills. PM me please thanks. :D
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Wow, that sounds really bad. And USD 50,000? Who are the buyers of this thing? :eek: :ninja: :ouch:
    This is why I asked. Judging by R8y's description, it doesn't seem more advanced than KillDisk to me :doubt:
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If it can be fixed with a simple restore of an image, it's not a disaster, just like Killdisk. If it is an executable, it won't have a chance either with AE on board.
     
  12. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I wonder if SafeSpace stops this thing.

    As far as the other one, that costs $50,000, who but Governments would want something like that, and what earthly reason would they have for wanting it? Kind of a rhetorical question, considering governments and the oxygen thieves we put in office.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    You've forgotten, that Killdisk was not just a simple restore of an image. You needed some kind of tool, to delete the corrupted partition first.
     
  14. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I didn't forget, that's why I have my zero tool. I've mentioned this more than once at Wilders and I have a partition software, just in case.
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    As a malware-writer, I would never write a destructive malware, that is stupid.
    You don't kill the goose with the golden eggs, you steal from it.
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    KillDisk is destructive malware, this is stealth malware.
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If it isn't destructive, my boot-to-restore will fix it.
     
  18. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I'm not sure of that.
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    PM this malware to me and I test it myself, then we are sure.
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I really enjoy these type topics. :D

    Members scrutinize every single point and leave not a single stone unturned or some potential malware end result imagined. And it puts our defenses to the ultimate tests, and from the looks of things we all enjoy a better measure of success against intrusions even destructive one's due in large part to these comparisons and discussions. Keep it up, these make this forum a PROVING GROUND of sorts for both us and vendor's claims. LoL

    PM me the sample too if you wish, now that you have attracted quite a flurry over this.
     
  21. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I don't have a copy of it. PM R8y or solcroft.
    Also, if it overwrites the first 4 KB of data, it will kick FD-ISR out of the PBR.
     
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That's good, than I can see it the rest works.
     
  23. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    167
    I'm still on powershadow 2.6 , I wonder how it would fare
    (no, I don't have a test machine to try it)?

    soccerfan
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Hello soccerfan

    Power Shadow loyal here too, and the same version i might add. I also team up SandboxIE & EQSecure 3.41 (HIPS) along with Snoopfree for good measure.

    Am anxiously curious to find that out myself. I'm relatively confident Returnil's latest version will stop it in it's tracks but someone needs to sample this piece of code against them first.
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Post with potential malware link removed. Please don't post with links of malware.

    Pete
     
Loading...
Thread Status:
Not open for further replies.