New sandbox/virtulization bypass under ring3

driver = the one who is controlling the controls the pc. Perhaps I should have written "at some point the person operating the pc may decide to say a nastie"
All is well until the user allows the bad thing to escape. I'm not sure that many would want or be able to operate on a machine where nothing could be saved outside of a protected zone.

 

When I used Sandboxie a while back, it did not allow any drivers to install. It could be looked at as either a limitation to testing any software sandboxed, or a safety feature. Is this a newer feature or one of just the paid version? And what is the default setting concerning drivers?

 

OK, the discussion may not be of much value but you can download the file there.

 

woohoo! good ol' reliable geswall (awesome that safespace passed too). oh and peter safespace is like a combination of geswall pro and sandboxie paid for free. but i agree it hurts running it on my laptop (i only have 512 megs of ram there) because it's way more resource intensive than either sandboxie or geswall.

oh and thanks for running the tests

 

Hmm, may I ask which softwares need low-level disk access? On the other hand, users of classical HIPS surely are followers of the default-deny approach, so a request for low-level disk access after execution should be enough to delete the offender.

Different attacks require different defenses ISR softwares working with "virtual" (they're not really virtual) environments are 99.9 % bullet-proof. It's a technological race, if more malware begin to use these techniques, ISR softwares will evolve to stop them. Cat and mouse game

VMware (and VirtualBox, Virtual PC, Parallels) is the only one who offers a "real" virtual environment, emulating a complete PC, completely separated (excepting bugs) from the host. Sandboxie only redirects read/write operations to a container and it bans kernel drivers, access to physical memory and low-level disk access.

Defensewall's failure is probably the result of a bug, not a technical failure.

BTW, how is the detection at Virustotal?

 

Off topic, but along with fd-isr, this has become one of my favorites.

I put SafeSpace on our neighbor's computer with 512 RAM, xp home sp2. Don't remember the processor. She knows absolutely nothing about computers and was constantly getting into trouble. My wife mentioned SafeSpace to her and she agreed to try it, understanding that a system restore would get rid of it if it caused problems.

It runs very light like on her computer (Dell). No apparent slowdown at all. I'm hoping it continues to run light, and that we aren't called over every few days due to some mess she's gotten herself. Standard configuration and she's very happy with it so far.

 

As Billy Joel says, it's a matter of trust. Trusting a random executable downloaded from anywhere vs. trusting an application from a reputable vendor, downloaded from the vendor's site, scanned with AVs and checked digital certificates and/or hashes. Having a VM to check unknown things helps greatly.

 

Does a VM show more stuff than a normal Machine, when you install a software or is it the same ?

 

A VM is like having another PC. To the host, it's only a file. Inside the VM, you can format, make partitions, access the network in different ways, rollback to the original state, etc.

 

It depends on what you are testing. It is a well known fact that there are many unsavory "applications" out there that can detect if they are being used within a VM and will behave accordingly. This means they will not do everything they were made to do as a way to fool researchers.

So in some cases a VM will show less than if something were installed on a real system. You should always test in a VM first for obvious reasons and then test on a dedicated "native" test machine if you suspect that your test has been circumvented this way.

I can't really give you any precise way to say when "X" happens you know your are dealing with one of these types as it will vary. In this case it is experience of the researcher and his/her intuition that will determine whether to move to native testing. One possible indicator is if people are consistently reporting that "Y" happens but you cannot reproduce this behaviour in your VM test sessions...

HTH
Mike

 

Coldmoon,
Thanks, I got the picture.

 

@Coldmood or others
Which version of Returnil are we talking about here? The latest beta in the 2.x line? Or the last final 1.7.x version? Is development in the 1.7.x line done? Or will it be updated so the fully free version of Returnil is safe against these apps?

Will the 2.x line, once it goes final, be free for home use like the 1.5-7.x line was?

 

@ Peter

Thanks a lot for ur testing and time.

I agree here. Same is true of KillDisk type virus attack. NG is interesting in this regard that it has no such alert like direct disk access. It has rather a rule to protect partition table. It,s a pity that it could not be installed on VM. Not sure if this POC has something to do with partition table or not?

 

Yes, you are right. I had the defense against those methods since 2.0 version, but the routines were programed with some errors that caused this failure.

 

I guessed correctly. I knew that DW blocks low-level disk access.

 

Both the free and paid version will have the same protection engine under the hood. The free version won't have new features, but I will have the same protection.
The paid version adds features which make the use of Returnil much more convenient.

 

Yes, we all know how destructive the killdisk virus could be, so I have NG configured to automaticly block "low level disk access". And btw, if SSM passes this test, I´m almost sure that NG does too.

That´s strange, isn´t it? Will they add it?

Can you give some more info, what does this trojan try to do?

 

ShadowDefender protects against this as of 12/25.