New sandbox/virtulization bypass under ring3

Discussion in 'sandboxing & virtualization' started by R8y, Dec 22, 2007.

Thread Status:
Not open for further replies.
  1. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    LOL @ RoboDog, the dog of RoboForm to make it look more trusty. :)
     
  2. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    i was too chicken to try it out for myself when i got a hold of the file. but i post over on the comodo forums and it seems one of the their members there had the file already and tested it out. comodo passed.
     
    Last edited: Dec 29, 2007
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,740
    Location:
    The Netherlands
    Well, I got a sample <snipped>, but I´m not sure what to think of it. What is it supposed to do? When I let it do all its stuff, I can still reboot my machine, wasn´t it supposed to make it unbootable?

    Btw, NG didn´t give me a single alert, but this may be because it malfunctions at the moment in my VM, not sure. SSM gave me alerts about PassDiskProtect_C.exe wanting to modify/take control of the second/duplicate process, you don´t see this normally, so it´s already a clue that it´s probably malicious. Of course I also got to see the alert about "low level disk access". The problem is that it doesn´t make any difference if I allow or block all of this, so again, what is it supposed to do?
     
    Last edited by a moderator: Jan 5, 2008
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    See PM
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Wonder what is the PM. If something about his Q why not here so all of us will know.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Aigle nothing really about the subject. I just pm'd something I didn't want him to miss. Sorry if it caused any confusion.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,740
    Location:
    The Netherlands
    Huh? That´s not completely true Peter2150, after all, you did give me instructions on how to use the test. And sorry about my little mistake, I didn´t know that. But anyway, I followed your instructions (I clicked "enter" 3 times) but still no luck, I can still reboot my machine. Does it do anything else? Am I infected after executing this tool? I really don´t know why this tool refuses to wreck up my OS.
     
  9. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Generally, we consider this a good thing.

    As for the state of your machine after the use of any "tool", you really need to appreciate that this is probably a path you shouldn't be walking down if you can't independently perform a detailed systems recheck and validation.

    Blue
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,740
    Location:
    The Netherlands
    Yes of course, but for testing purposes I need to see what this tool is capable of, otherwise I can´t test if my HIPS can in fact stop it or not. And all testing is done inside a VM. ;)

    I´m not sure what you mean, but isn´t this a matter of knowing which tools to use to spot infections? Or do you mean that I better make sure that I can restore the machine to a certain point? This can be easily done inside a VM.
     
  11. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Make no assumptions and always consider the outcome of a worst case scenario - which, with this type of situation, could be your machine is rendered nonfunctional outside of the VM (How? nothing fancy - typically user error). Can you fix that situation on your own if it happened right now? Yes, I mean this minute - complete recovery of the machine. If so, you're fine. If not, perhaps some additional planning is in order.

    Blue
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.