Sandboxie - How safe do you think it is?

Last night, I was creating a new sandbox, and then something started to hit my thoughts...

First of all, I'm not putting in question the efficiency of Sandboxie to prevent your system from becoming infected, for example, when browsing. No, not that.

That was just to clarify... to exclude any possible doubts.

So, as far as I'm aware of, Sandboxie doesn't check the processes you add to the sandboxes, to start, if they're the real processes or not. Meaning, it won't check for their "DNA" (like digital signature).

That means if I have a sandbox created to start Opera browser, and for example, allowing a pdf reader to allow run in it, like Adobe Reader, then if there's, and lets imagine it would happen, a malware pretending to be Adobe Reader, with the exact name of the real process, which is acrord32.exe.

I'm sure that if, there were two processes with the same name Sandboxie would display some error? I never tested it, and never asked Tzuk, but will do it.

Now, lets imagine that I uninstalled Adobe Reader, but forgot to remove the acrord32.exe process from the allowed processes in that sandbox. Now, everytime I start the Opera sandbox, the process acrord32.exe, which is a piece of malware, would also start sandboxed. Now, lets imagine that this piece of malware is a keylogger. You access you bank account. This process is allowed to communicate with the Internet.

So, Sandboxie could pose a threat in such a scenario.

Did you ever considered this possible scenario? Shouldn't Sandboxie allow the processes to run, only if they're a match to a digital signature? At least, those we know they have one, and that we don't want them to be confused with some bogus crap.

Do you feel less safer, considering this could happen, and you wouldn't even notice it?

A more experienced user would know, I believe, to prevent an infection, but lets image all the casual users.

What do you think?


Regards

 

Very interesting question indeed.
I would like to know about it too.

 

First off, Sandboxie is not going to prevent anything from running in the sandbox until you invoke the Run/Access settings. There can be two situations; one is a program that is coming from outside the computer like the internet. The other is a program that exists on your computer already. A program that exists on the computer already will not run in the sandbox until you right click "Run sandboxed" on it. For a program that comes from outside the computer like the internet; read the fine print on the Run/Access tab in Sandboxie Control.

"When this feature is enabled, programs that are installed (or downloaded) into this sandbox will never be allowed to start or run, even if they match the program name specified above"

 

You didn't understand me well, I believe.

1 - There's a sandbox created for Opera browser (example).

2 - In that sandbox only Opera (opera.exe) and Adobe Reader (acrord32.exe) are allowed to run.

3 - When I start Opera, I want to read a some PDF file.

4 - The process acrord32.exe will start sandboxed, as well.

5 - For some reason, some day, I decide to uninstall Adobe Reader, but forgot to remove the process from the allowed processes to run/access the sandbox and the Internet.

6 - Sandboxie doesn't check whether or not a process is legitimate or not, as in, it won't check if it digitally signed or not, for example. Sandboxie has no idea. The user needs to have the "idea".

Based on this, and theoretically, couldn't a malware write just develop some piece of malware to sneak around and pretend to be, in this case, Adobe Reader (acrord32.exe), and hence allowing access to the Internet and to the sandbox? Meaning, this piece of malware would get into the sandbox, from within the system, and communicate with its creator(s).

What I mean is... Couldn't they just discover a way of making the fake process to run sanboxed? Does Sanboxie offer protection against it?

This, because, as I mentioned, it won't recognize a process as not being legitimate.

This is stupid way of working, if you ask me - allowing processes to be added(by the user) and then allow any process with the same name to load (allowed access) to the sandbox.
It should check against a database of digitally signed applications. At least, those we know that are, so that nothing can compromise the sandbox.

I'm not saying that such is happening right... unless someone already has complained, but, in theory, for now, this is a flaw in Sandboxie, in my way of seeing it.

 

The program or process that you are describing would have to exist somewhere - either on the computer or in the sandbox. Let's say you allow a program to run in a sandbox and then later you uninstall that program but forget to take it off the allowed list. So a new malware program takes on that same name. OK, if it is in the sandbox it will not be allowed to run. If it is on your computer ... why would it choose to run in the sandbox and then design some way of breaking out of the sandbox, even though it was already out of the sandbox in the first place? I understood your question, I think you didn't though.

 

That process exists on your computer and outside of the sandbox. That is different than a process located inside the sandbox. Once you uninstall it, it will no longer exist on your computer and outside the sandbox.

The only thing that is the same about the original process and the new malware is the name. That fine print "CLEARLY" states that it will not be allowed to run.

 

[

That's exactly what I have mentioned. But, for now, lets exclude that the fact it could be in the sandbox.

Lets stick with the option it is somewhere in the system

And, how exactly won't it be allowed to run? Does Sandboxie make a difference between this path, where the legitimate acrored32.exe process is C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe from, for example, this path C:\Windows\System32\acrord32.exe?

As far as I can understand, no. Please, correct me if I am wrong.

And, that's what I assumed, theoretically, since the beginning, that the malware would be in the system, and not in the sandbox, after browsing the web with Opera.

Why would it get is way into the sandbox?

As of now, Sandboxie is not that widely used, so 99,99% of certainty this doesn't happen and won't any time soon, unless it begins to be widely used.

But, heck, lets imagine there's one crazy fellow out there who thinks: Hmmm... what if I create a piece of malware, try to get into one's system, check for Sandboxie configuration file, see whats there, check if any of the processes on the configuration file exists on the system, and if not, disguise it (my piece of code) with that name, and then make its way to the sandbox were the other process, with the same, was allowed to run and to access the Internet.


In theory, it could happen. I'm not saying, nor thinking it would be a nice approach, since the piece of malware already is in the system, but... just the theory shows that Sandboxie has a something that could be considered a "flaw".

I'm not a programmer, or anything similar, and with 100% certainty I can say that I don't if something good (as in really nasty) could come out of that situation, but it made me wonder if Sandboxie should recognize processes.

Because, the truth is, Sandboxie doesn't care if XYZ is a legitimate process or not.

I could have simply have spoken about Opera and saying that I could create a bogus opera.exe file, which would do anything, even who knows, a very basic web browser, and Sandboxie would allow me to run that process sandboxed on the Opera sandbox. It wouldn't trigger an alert saying: Hey, you're not the real deal... Get lost, you're not allowed to be in here.

So, I did understand my own question/doubt. This was all a theory from the very beginning. The theory is, if something can come out of this situation, then for sure malware writers (and they know 100% better than me) would find some way to what ever they would want to do. Even if just for fun, to show Sandboxie's creator that his creation, after all, doesn't protect against it.

So, just a theory.


Cheers


P.S: I hope I made my self clear this time. But, I'm not a native english speaker, so please, bear with me.

 

I wouldn't consider it a flaw on Sandboxie's part. It is not designed to protect the system against malware running outside the sandbox although an added feature of at least using file paths for start/run and internet access settings for programs instead of just relying on process names would be nice

 

So, there is currently no difference between adding by name or by file in terms of how the Sandbox identifies what should have start/run permission or internet access, is that right?

If there is indeed no difference, then isn't Moonblood's question here a very good one?

It has always bothered me that I don't know whether Sandboxie knows one "opera.exe" from any other...

Thanks

philby

 

Well before you start dubbing things as flaws because you want them to be flaws, why don't you ask this at the developers forum? Tzuk has answered this himself already. I cant find the thread right now, but I remember reading it.

 

WHY would that program - which would exist on the real system, need to access the sandbox to be allowed to access the internet? If it is on your system, it can do anything it wants from outside the sandbox.

 

I don't want things to be flaws. Please, don't "put" words in my "mouth".

If you read my first post, you'll see I'll be getting in touch with Tzuk, explaining my view, which is all it is. So far, it is nothing else.

 

That was just an example, to show that Sandboxie makes no real difference between one process and the other.

I could have just the following:

Lets imagine that some piece of malware gets into the system (Lets suppose it exists.) and changes (Lets imagine it finds its way.) C:\Program Files\Opera\opera.exe, which so far is the real process, and replaces it with a bogus process opera.exe, which in turn, when executed, resembles Opera browser.

Again, let me reiterate, that such would not be a practical thing to do, because it would already have access to the system, and do its thing. But, this very same fact doesn't invalidate the fact that Sandboxie can't make a difference between both, the legitimate and bogus processes.

To be honest, Sandboxie should make a difference.

 

Why not read the faq's before clutching at straws.

http://www.sandboxie.com/index.php?FrequentlyAskedQuestions

 

Well then that is a good thing for Sandboxie then because when that malware executes, it will be sandboxed. Do you realize how totally misleading it is for you to develope (in your mind) this master monster spyware and then announce it as a "flaw" that (you say) sandboxie is helpless against this type of attack ... and neglect to post your all important questions on the mans forum itself?

 

Actually, it is not a good thing to happen. Yes, it starts sandboxed. So what? It still allows the fake process to con people.

I'm sure that I, you, and so many others would tell the difference... I wonder... would my nephew, who uses computers to minor things, which include a little browsing for school work, tell the difference, if it really resembles Opera browser?

Yes, it starts sandboxed. Really means nothing.

Lets not turn this into a conspiracy.

How raising a question is misleading? Anyway... In one of my previous posts, you asked why would such malware to exist. I answered that there could be some crazy folk(s) out there.
There is "malware" (I don't know if we can call it that way), that the only thing they do, is to joke with people (jokeware), like constantly open their CD/DVD drive, rebooting their system, etc. No real malicious actions here. But, it does pisses users off, who don't even know why it happens, and what to do about it. As far as they're concerned, the problem is the Operating System, some update that may have screwed things up.
So why wouldn't anyone crazy do the same with tools like SandboxIE, who don't make a difference between real and bogus? Just to piss people off.

Why wouldn't some create a piece of malware, infect one's system, having in mind that it had to check whether or not SandboxIE is installed, read the SandboxIE file configuration; check what processes are allowed to run in XYZ sandbox, and when users start, for example, Opera browser sandboxed, that "nasty" ask the user: Are you really sure you want to start Opera browser? Better not, I'll get there myself. Thank you.

Sure, no real damage... unless for the mind. Truth is, jokeware does exist, and why wouldn't someone want to do it, if it (SandboxIE), eventually becomes widely used?

You say that starting sandboxed would be stupid. I don't think it would.

There's phishing, malicious domains, etc. and more and more people are becoming aware of the dangers the Internet exposes them to.

I guess that a few, so called, casual users, also begin to use SandboxIE. I know I have advised it. Why shouldn't I? But, today more than ever the bad folks want people not to be suspicious about their work (malware) actions. So, why not do what I wondered if someday could be happening, and those users feel confident, because they have SandboxIE and only the allowed processes (trusted processes) can run there?
Now, wouldn't be stupid for SandboxIE, as a security application (I believe it is a security application.), to allow bogus processes to take place of the real ones, and make people believe they're browsing with the real deal?

Sure, maybe an anti-malware application would detect that bogus process as being malware... What if it wouldn't? What if those users have so many advices given by so many "great experts" telling them that anti-malware applications let pass more than 40% of malware, and think for themselves - "Better not get that crappy applications, and make my system slower for something that is not even capable of detecting half of it."

So, if you ask me... as a security tool, SandboxIE should make the difference between real and bogus.

Edit: I'll shut up from now on... It seems all I pretend is to spread fear and doubt, misleading people, etc... Please, could a moderator eliminate this thread, so no more users (including those who may just visit the forum, after a google search) feel misleaded?
It was never my intention to make this thread a misleading one... Rather a question I'd like to know what others would think of it.
I apologize for any inconvenience.

 

Fair enough. But, just to clear things out: I never stated that SandboxIE would let malware in, from within a sandbox, say, Opera browser. I never stated that.

All I questioned was: Shouldn't it be able to recognize between a real and bogus process?

I never said that SandboxIE should detect malware.

I never started this thread to bash a product, its software developer(s), nor to mislead other users.
I just happen to have asked this question, and explain something, based on something that, theoretically, happen, in a security forum I visit for some time now. I believe there's nothing foolishly in wanting to learn more.

I also believe there's no reason to say that I'm foolish, that all I want to do is to bash a product, its software developer, and misleading users, if I, too, still have a long way to learn more about security.

I apologize if asking this sort of questions, in a security forum, to want to learn more, makes people behave like they're foolish.

So, as I said, you, as a moderator, could, kindly, delete it.

I'm sorry for even starting this thread.


Thank you.

 

Yesterday I picked three or four morphed installers for the rogue av Personal Antivirus and how many AV's actually detected them?
Setup-96a_02018-4.exe - Result: 0/41 (0.00%)

So I ran one of the installers through Sandboxie to see what I had as no AV could detect it at the time! Can you see what I'm getting at?

 

The answer is "What is the point?" It recognizes between sandboxed and unsandboxed processes. Not only is what you say needless, but it opens an avenue for error that does not exist currently. And just a BTW, consider the price of the program - and it's a one time fee and covers all the computers you own. What if implementing what you say is needed causes that price to jump for everyone else? Some want Sandboxie to do more than what it does - are you willing to pay for it?

 

Is a subject like this

, implying a problem?

Heck, where I live, is a question.

Anyway, please, you or any other moderator, feel free to eliminate this thread, to prevent further issues, misleadings, etc.

 

The problem here, as I said in another thread, is down to malware classification and the fact some AVs will report there's no malicious code in the file, which is most likely to be correct.

I know this to be true for one such example I submitted for further analysis recently as it wasn't being picked up by the AV in question, and scanning sites showed most others weren't either. The problem is of fraud detection; whilst there may be no malicious code in the file, it is still a rogue application because of the scam they run by running a dud scan and then request payment to remove the traces it apparently finds. Not all AVs are detecting such applications as frauds.

 

You'd be amazed at just how many people fail to grasp that point despite it being repeated ad nauseum and claim it as a weakness in AV utils not to heuristically detect such fraudulent rogues.

 

OK. I've been reading this thread all over again, and I do believe that my approach, to explain my view, wasn't the best.

I guess that I ended up confusion certain things. It, actually, crossed my mind, today, while setting up a machine with Sandboxie, for a family member.

So, the reason why I asked if Sandboxie shouldn't recognize processes based on their digital signatures, is that, for example:

I set a sandbox, as I did to my family member, to Internet Explorer.
In this sandbox, only IE is allowed to communicate with the Internet, but let's forget this approach right now, and assume that, for example, this sandbox would also allow Adobe Reader to communicate with the Internet.

For that, acrord32.exe needs to be allowed to run in the sandbox and access the Internet.

Now, the system is clean. The user browsers with a sandboxed IE. The user goes to the bank account, and the user isn't even aware that a process with the exact same name as Adobe Reader's process is running in the sandbox. That process is a keylogger. (Let's just assume the user would be running a sandbox set up by someone else, who didn't explain this user that something like that could happen.)
It is possible to happen, and it happens that malware disguise themselves as other applications (specially known ones, and that, most likely, users will be running) to deceive users.

So, we have an unsuspected user, accessing the bank account in a sandbox IE session, and a keylogger got in the sanbox. This keylogger came from the Internet, of course.

Now, if Sandboxie was able to tell the difference between the Adobe Reader's process and the keylogger, which has the same name, then this keylogger couldn't run and communicate with the Internet (its creator(s)).

So, based on this, wouldn't make sense for Sandboxie to be able to tell a difference?

I hope that, now, this view I'm giving you now, shows more clearly what I wanted to mean before.

I apologize for any confusion I may have caused. As I mentioned earlier, I believe I even confused my self along the road.


Regards