New sandbox/virtulization bypass under ring3

Discussion in 'sandboxing & virtualization' started by R8y, Dec 22, 2007.

Thread Status:
Not open for further replies.
  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
  2. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    driver = the one who is controlling the controls the pc. Perhaps I should have written "at some point the person operating the pc may decide to say a nastie"
    All is well until the user allows the bad thing to escape. I'm not sure that many would want or be able to operate on a machine where nothing could be saved outside of a protected zone.
     
  3. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    When I used Sandboxie a while back, it did not allow any drivers to install. It could be looked at as either a limitation to testing any software sandboxed, or a safety feature. Is this a newer feature or one of just the paid version? And what is the default setting concerning drivers?
     
  4. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    976
    OK, the discussion may not be of much value but you can download the file there.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You can change the settings, but if you allow driver installs, why test in the sandbox in the first place, you have already given it permission to have at your system. Note that Sandboxie really wasn't designed as a testing tool, but a tool to protect you while surfing.

    For testing you really need a Virtual Machine.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Further tests:

    Geswall 2.6 free. Passed. Really didn't test the app beyond that
    SafeSpace Passed. This likes like a prettied up version of Sandboxie. The anology that came to mind was what sandboxie is to XP, Safespace is to Vista. Lot more eye candy at the price of a much bigger app, to do the same task.

    Neoava. never got it to run on my Vm machine.

    Oh. Also tested with Prosecurity V1.3 Same as SSM, and OA. Passed if you answered the questions correctly.

    Some thoughts:

    Classic HIPS type programs will alert you to what the program is doing, but the user has to know how to answer, and that always isn't easy. For some Direct Disk Access might be a clue, but I have enough legit trusted software that does that, that that request alone, doesn't always give me the clue. With the Erik Albert Approach test, it was the fact the malware was disabling registry editing tools, and taskmanager. No legitimite program would be doing that.

    Programs like Sandboxie, Returnil, Geswall, and Defensewall(It failed, but Ilya will fix that) all protected the system, but there is also a problem there.

    For strictly protection purposes, all of them worked. But what about testing a questionable program. Sandboxie,Returnil, and I believe Defensewall, all provide a means of rolling back the system, but taking this POC and assuming it was hidden in some other software, when you tested it with either of the three programs, nothing bad happened. So you really don't know anything, until you do an unprotected install. Then the big oops.

    Only real way to know for sure is do an unprotected install, and to be safe there, almost calls for something like a virtual machine.

    Something else that even more narrows the field, is I know my main sources of vulnerability are rogue websites, and programs I install. But another concern is playing with this stuff in a virtual machine is the remote possiblity of leakage to the host. What would the attack vector be. I don't think Sandboxie would help at all. This is where the Returnil type program comes well to the for front.

    Interesting challenges.

    Pete
     
  7. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    woohoo! good ol' reliable geswall (awesome that safespace passed too). oh and peter safespace is like a combination of geswall pro and sandboxie paid for free. but i agree it hurts running it on my laptop (i only have 512 megs of ram there) because it's way more resource intensive than either sandboxie or geswall.

    oh and thanks for running the tests :)
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Hmm, may I ask which softwares need low-level disk access? :doubt: On the other hand, users of classical HIPS surely are followers of the default-deny approach, so a request for low-level disk access after execution should be enough to delete the offender.
    Different attacks require different defenses :) ISR softwares working with "virtual" (they're not really virtual) environments are 99.9 % bullet-proof. It's a technological race, if more malware begin to use these techniques, ISR softwares will evolve to stop them. Cat and mouse game :)
    VMware (and VirtualBox, Virtual PC, Parallels) is the only one who offers a "real" virtual environment, emulating a complete PC, completely separated (excepting bugs) from the host. Sandboxie only redirects read/write operations to a container and it bans kernel drivers, access to physical memory and low-level disk access.
    Defensewall's failure is probably the result of a bug, not a technical failure.

    BTW, how is the detection at Virustotal?
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I knew someone would ask that.:D And I don't remember. One of them may be perfect disk, and another FDISR. Not sure, I just let the stuff I trust do what it wants. Does make it a challenge if you think you trust something, and are wrong. More and more I try stuff in the vm machine first, and watch and see what happens.
     
  10. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,771
    Location:
    New Mexico, USA
    Off topic, but along with fd-isr, this has become one of my favorites.

    I put SafeSpace on our neighbor's computer with 512 RAM, xp home sp2. Don't remember the processor. She knows absolutely nothing about computers and was constantly getting into trouble. My wife mentioned SafeSpace to her and she agreed to try it, understanding that a system restore would get rid of it if it caused problems.

    It runs very light like on her computer (Dell). No apparent slowdown at all. I'm hoping it continues to run light, and that we aren't called over every few days due to some mess she's gotten herself. Standard configuration and she's very happy with it so far.
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    As Billy Joel says, it's a matter of trust. Trusting a random executable downloaded from anywhere vs. trusting an application from a reputable vendor, downloaded from the vendor's site, scanned with AVs and checked digital certificates and/or hashes. Having a VM to check unknown things helps greatly.
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Does a VM show more stuff than a normal Machine, when you install a software or is it the same ?
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    A VM is like having another PC. To the host, it's only a file. Inside the VM, you can format, make partitions, access the network in different ways, rollback to the original state, etc.
     
  14. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    It depends on what you are testing. It is a well known fact that there are many unsavory "applications" out there that can detect if they are being used within a VM and will behave accordingly. This means they will not do everything they were made to do as a way to fool researchers.

    So in some cases a VM will show less than if something were installed on a real system. You should always test in a VM first for obvious reasons and then test on a dedicated "native" test machine if you suspect that your test has been circumvented this way.

    I can't really give you any precise way to say when "X" happens you know your are dealing with one of these types as it will vary. In this case it is experience of the researcher and his/her intuition that will determine whether to move to native testing. One possible indicator is if people are consistently reporting that "Y" happens but you cannot reproduce this behaviour in your VM test sessions...

    HTH
    Mike
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Coldmoon,
    Thanks, I got the picture. :cool:
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    As an update, I knew Ilya would fix Defense Wall, but boy that was fast. As of the beta version now in the forum:

    Defense Wall Passes

    Pete
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Always a good reminder Mike. Hopefully, the little we do here, helps you guys strengthen the products we count on. If it accomplishes that it's worth it.

    Also helps with the peace of mind knowing that the apps we use work as we hope.

    Thanks,

    Pete
     
  18. wraithdu

    wraithdu Registered Member

    Joined:
    Jul 22, 2007
    Posts:
    21
    @Coldmood or others
    Which version of Returnil are we talking about here? The latest beta in the 2.x line? Or the last final 1.7.x version? Is development in the 1.7.x line done? Or will it be updated so the fully free version of Returnil is safe against these apps?

    Will the 2.x line, once it goes final, be free for home use like the 1.5-7.x line was?
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    @ Peter

    Thanks a lot for ur testing and time.
    I agree here. Same is true of KillDisk type virus attack. NG is interesting in this regard that it has no such alert like direct disk access. It has rather a rule to protect partition table. It,s a pity that it could not be installed on VM. Not sure if this POC has something to do with partition table or not?
     

    Attached Files:

  20. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, you are right. I had the defense against those methods since 2.0 version, but the routines were programed with some errors that caused this failure. :(
     
  21. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I guessed correctly. I knew that DW blocks low-level disk access.
     
  22. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Both the free and paid version will have the same protection engine under the hood. The free version won't have new features, but I will have the same protection.
    The paid version adds features which make the use of Returnil much more convenient.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,740
    Location:
    The Netherlands
    Yes, we all know how destructive the killdisk virus could be, so I have NG configured to automaticly block "low level disk access". And btw, if SSM passes this test, I´m almost sure that NG does too.

    That´s strange, isn´t it? Will they add it?

    Can you give some more info, what does this trojan try to do?
     
  24. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    ShadowDefender protects against this as of 12/25.
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    That's what I suspected, but when I tested the new version it failed.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.