Sandboxie and keyloggers

Discussion in 'sandboxing & virtualization' started by trjam, Jan 7, 2008.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I saw here once where Sandboxie could be configured to stop keyloggers. How? I use IE7.
     
  2. Drew99GT

    Drew99GT Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    338
    Location:
    Colorado Springs
    Bump. Bump.
     
  3. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
  4. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Even if it did intercept keylogers you would be vulnerable during the "infected" session if you did login to secured sites... It would perhaps remove the keylogger from the system after but it would do nothing as such to prevent it...

    I would combine sandboxie with a HIPS or perhaps keyscrambler (I use both + Roboform...)
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    The solution is fairly simple assuming you picked up the keylogger from a source that was sandboxed. Before going to a critical site, log off, and delete the sandbox. Then go do your banking. Keylogger should be gone.
     
  6. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    This while being effective, assumes most users know they have an infection they need to defend against and that they will remember to "Empty" the sandbox before doing their banking... It would be wise to prevent an infection by using an anti key logger together with your sandbox..

    Personally I often login to secured sites during sand boxed sessions.
     
    Last edited: Feb 4, 2008
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    Not really, I've just gotten in the habit of before banking, closing browser, empty sandbox, and the go to bank site. Not a big deal.
     
  8. mick92z

    mick92z Registered Member

    Joined:
    Apr 27, 2007
    Posts:
    499
    Location:
    Nottingham
    I think its common sense,if you are entering sensitive info,eg banking,to empty your sandbox prior,I have my sandbox set to delete automatically,upon termination of all sandbox activity,with a warning first,if there are recoverable files.So I dont have to remember to empty it.Also I surf sandboxed with DropMyRights,hopefully a keylogger couldn't run, even sandboxed.Although I'm no expert
     
  9. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Again, here comes grandma "fully protected" in her brand new sandbox... logging into everything after browsing the web all day... That's what scares me about it. Many users wouldn't think twice about login in, because of impatience or simply because they got into the habit of browsing the web in a sandbox and forget they are doing it... That is why in my recommendation Secured Web browsing I recommend to have one enabled...
     
  10. Terror_Eyez

    Terror_Eyez Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    23
    Location:
    Your moms bed...
    Hermescomputers, do you actually USE Sandboxie?
    It seems like you just have it there as a backup or something.

    The reason I ask, is because you don't seem to realize how effective Sandboxie could actually be against keyloggers, without any other kind of protection needed.

    I mean for one, you could do the simple method that Peter mentions, which is to just delete the sandbox, and you're done.

    Second, you could just set your browser to access the internet, and nothing else, that way, regardless whether a keylogger is running or not in the sandbox, it wont be able to send any of its captured data out to anyone, so you are perfectly safe. I have personally tried this with many keyloggers, ones I've made, and ones i've downloaded, and every single time, regardless if it caught any information or not, it could never actually send the captured data anywhere. So when you delete the sandbox (whenever that may be) the keylogger and its captured data, will be gone, before the data was even able to be sent out to anyone.

    Or third, in one of your sandboxes, you could just try setting only one file to run (such as your browser) and then any other files in the sandbox (example, keylogger) won't even be able to run in the first place!!

    If any of that is too hard for you to do, then maybe you are the grandma here!;)
     
  11. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi Terror_Eyez,

    I was waiting for someone to post about only allowing the browser internet access through Sandboxie. It's good to hear that it thwarts keyloggers too. However, what would happen if the keylogger was named firefox.exe or iexplore.exe?

    innerpeace
     
  12. Empath

    Empath Registered Member

    Joined:
    Nov 13, 2002
    Posts:
    178
    I haven't checked how it appears in the configuration file, but in setting up the single program that can access the internet, you're given the choice of doing it by 'application name' or file name. With the file name you show path. Provided it's entered as a path and app in the configuration file (which I assume, but haven't checked) then you could have all kinds of keyloggers named firefox.exe or iexplore.exe. I wouldn't matter then.
     
  13. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thanks Empath, I see the setting now. It's in the Sandboxie Control, click Sandbox, expand DefaultBox, click Sandbox Settings, expand Resource Access and then click Internet Access. If you read the two lines below the four buttons, it seems as if it will block the fake files regardless. Maybe Sbie uses a hash check of some kind. This is very interesting.
     

    Attached Files:

  14. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    or if you are the only person using the computer you can just save the u/n and PIN in a txt file with a not so obvious name concerning its content and copy-paste with mouce.
     
  15. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    As a few of you have stated there is a way within sandboxie to "configure" a single applications Internet access within the config of the sandbox and it appears to work well.

    Unfortunately this setting is not active by default effectively rendering the sandbox a high risk with keylogers (only during the infected session as I have stated above).

    In my experience anything not "default" is useless with granma! ;)
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    First, I know a member of the forum, who would take exception to that last statement.:D

    Second, correct me if I am wrong, but wouldn't a keylogger, to be effective, really have to either install a driver, or start a service, of some kind. Because if so, case closed.

    Pete
     
  17. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Some types of keylogers yes... however many trojans also include keylogging functionality as well as remote viewing or even remote control... All contained within an executable smaller than 400k... Seen some even smaller.
     
  18. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    The Anti Keylogger Test below shows that keystrokes can be captured when run sandboxed

    Is it a worthy test for Sandboxie if set for only the browser to connect even though keystrokes are captured this info can't be sent out?
    AKLT test
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    Absolutely, but if they come in thru the browser, they are sandboxed, and can't hurt the system. Tested this with some live malware. Sandboxie protected the system.


    @Franklin. To answer your question strictly from my point of view. I don't care, if something were to come in thru the browser, and install some keylogger. Before I do anything of significance, I close the browser and empty sandbox. Takes seconds, easy habit to form, and keylogger gone.


    Note. I can't help feeling, if this is too difficult for someone to learn, the may well be, unfortunately, doomed to getting themselves in trouble. It's kind of like "Don't open attachments" So simple, but....


    Pete
     
  20. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Peter I think it's probably because the only people that call me actually willing to pay for my services are usually the desperate ones... I get too see a lot of bad stuff :D

    So I may be more "paranoid" than would be required under the circumstances... However my faith in Joe Average has wanned considerably over the years as I have seen them do the obviously dangerous and actually think it was the appropriate secured measure to do... Still baffles me to this day how the human brain being so powerful can do really such stupid things as some users actually do...
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,050
    Nothing new really. Just the computer gives them the power to do it quicker. The one I loved was the the British technology weekly, stopping folks at the tube entrances and offering them some quality chocolate if they'd take a survey. Some high percentage were willing to give up their work computer passwords. Duh.
     
  22. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    To say that a program is useless on the single basis of 'default settings' is beyond the most ridiculous thing I have ever read. TerrorEyes has it right-on as do most of the users here. I have always said that those in the computer-fixit-industry would be the slowest to give SandboxIE credit and the comments here prove that out. Fear mongering that uses 'GrandMas' surfing habits as a basis is becoming more and more prevalent now that a number of new products are supplanting the tired old failed products of the past.

    HermisComputers states that because he is worried that Grand Ma is totally inept, he recommends that she visit his site for guidance. Well I went on that site and no one (not just Grand Ma) would be expected to do all that is recommended there.

    Fear mongering that leads folks to needless worry creates situations like this; http://forums.wincustomize.com/?aid=175059
    And is causing people to 'break' their computers.

    Probably followed by a phone call to a computer fix-it guy for help. haha
     
  23. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    And another thing you could do is install Keyscrambler. Works on both Firefox and IE and is free. Even if a keylogger could log your keystrokes. All it will receive is a load of gobbledygook.

    muf
     
  24. MitchE323

    MitchE323 Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    156
    Well if I am ever targeted by a keylogger, I am going to treat that threat very seriously. I am going to assume that a Commercial Keylogger is after my information. (note the word Commercial) Can anyone guide me to a freeware anti-keylogger that would be of any help? I've never heard of one.

    It's time to cut through the nonsense and provide some qualified answers for people. Otherwise why even have Computer Security as a job or as a hobby? As far as I know SandboxIE is the only product that provides even hope against a commercial keylogger.
     
  25. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    Has anyone actually tested KeyScrambler to see how effective it really is?
     
Loading...
Thread Status:
Not open for further replies.