Studying Malware in a Virtual Machine - Dangers, Precautions

Discussion in 'sandboxing & virtualization' started by sbwhiteman, Mar 12, 2011.

Thread Status:
Not open for further replies.
  1. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Which executable, the initial sandbox breakout or the payload? Presuming you mean the sandbox, the executable wasn't a direct executable, it was something a little more clever and in keeping with Sandboxie's stated operational use:

    Peter, nobody doubts a claim when someone reports that a virus slipped by their antivirus software. This isn't any different, as far as I can tell the difference is nobody seems to have informed anyone here about the existence of sandbox/vm vulnerabilities. In the prior post I detailed the attack type and the resultant payload and gave public examples of everything needed to accomplish it both from a sandbox or a vm, and a small article about the field of vm malware.

    Specifics aren't particularly important because the specific exploit used may change, but the attack is the same. Just like what kind of message a scammer sends about the money you inherited/won/held in escrow, the details may change but it is still the same scam. The PoC we used in the 2009 version of Sandboxie may not work in the latest version or the latest windows or otherwise. However, it proves the attack historically, and merely by changing the exploit specifics to something that does work, the attack is resurrected.

    This is because the underlying vulnerability never disappeared: encouraging unsafe behaviors in an inadequately secured environment. Testing malware in an inadequately protected sandbox or vm is not a good idea.
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Steve, part of the problem is that very little is said publicly about attacks on and vulnerabilities in these types of applications. It's still a niche market, and you certainly won't find tests and reviews in the normal places you would other security apps. AV bypasses are so public because it's the most common form of protection, and, people are used to malware authors tweaking their creations to go undetected by such apps. Outside of Wilders and other security forums, you're very likely to have to search a while just to find anyone who even knows Sandboxie exists, let alone what it is and how it works. Therefore, very few know how vulnerable such apps may be.

    The attacks will come, and a lot of folks will get knocked off their clouds when they do come.
     
  3. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    that sounds reassuring. ;)

    well, as long as i can boot from a CD/DVD disk and 0 the HD i should be ok.
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Well, facts have to be faced here. Nothing is created that can't be destroyed, and the harder the war against malware is fought, the harder malware authors will fight back. Nobody is "safe", everything depends on how much of a target you are. If bigger targets use better security, then common sense will tell you that those better security measures will be attacked harder. Malware authors aren't all that concerned over AVs and "Anti-Spyware", they won that war. Virtualization though, they'll want in on that.
     
  5. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    17,493
    Location:
    UK
    I have been reading through this thread and have decided a couple of things. Bear in mind these are just my own thoughts on this subject.

    1. SteveTX is a master puppeteer.

    2. He has a product release coming up soon (Safehouse) and is drumming up interest in it.

    3. He will release the POC tomorrow (just kidding with that one:D )
     
  6. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    *Sigh* Good 'ol Wilders.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I agree with the sigh, but Stapp is right on the money

    There are no straight answers.

    First I live at the Headquarters of spooks and goblins(Wash. DC) and there is one thing I've learned relative to people who work with "sensitive" information. That is:

    If they do, they don't talk about it at all, and if they talk about it, then they aren't doing it. So I don't believe there is any sensitive information here.

    Also if someone here posts and says hey a virus got by my "whatever", then my first reaction is who posted. There credible folks usually post details, about what happened, and how it can be reproduced. They also notify vendors.

    But to claim that there is this magic POC which can bypass the world, say I've told vendors and they don't listen, and not provide them with what they need to fix the vulnerability is nonsense. This is either the height of irresponsibility, or as Stapp put it being a puppeteer. Take your choice, but does it matter which?

    Pete
     
  8. sbwhiteman

    sbwhiteman Registered Member

    Joined:
    Jul 20, 2009
    Posts:
    88
    As the original poster I find all this fascinating. Since I happened to have an old machine laying around I went ahead and set it up for exclusive malware testing. Assuming I take other machines off the network at the time I'm using it, I believe I should be fine. (Correct?)

    However, the old machine is underpowered, and testing in a virtual machine would be more convenient. Acknowledging that there is the theoretical possibility of malware escaping the VM, are there additional specific steps that you all would recommend to minimize the risk? (Again, thanks to CogitoTesting, Searching, MrBrian, and J_L for their previous suggestions, and SteveTX for his cautions.)

    Regards.
     
  9. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Sorry if I'm still skeptical, but you aren't even providing any technical details. Through what mechanism does this break out of the sandbox? What do you mean by "the vulnerability exists in the trust model of the OS". How does the same flaw exist across various platforms? There is a distinct lack of detail here.

    In all honesty, it looks like you are trying to make trumped up claims in an attempt to draw attention to your own product. If so, this would be a serious offense. Some of us take security rather seriously, and intentionally reporting non-existent vulnerabilities is not taken lightly.

    I would encourage you to start being more forthcoming. Now that you've made these claims, to provide anything less than a working PoC might lead to a pretty negative stigma and possibly become a great embarrassment in the future. I'm not much of a business man, but the last thing I would want is the reputation of being a liar...
     
  10. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Will I be allowed to prove it?

    Peter, I don't bluff, you should have accepted my terms to review the code privately, instead of publicly impugning my integrity. Just remember, you called down the fire, don't back-peddle now.

    I request the permission to post on this forum, live malicious code and demonstrations, for all to see for themselves, without moderation or censorship.
     
  11. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543


    I've slept a bit and have had more time to ponder this situation. First of all, my "sigh" was simply because Stapps response reminded me of the ever-increasing attitude that some are showing more of around here lately, and not just in this thread. It's completely off-topic so I won't linger anymore on it. Stapp and you do have a point though. While I don't live in DC, I've worked there often enough and with enough sensitive information to agree wholeheartedly with you.

    Again, I have to stress that if this POC does exist, and Steve wasn't ready to divulge, he should have kept quiet. While I'm not ready to burn him at the stake like some seem to be, I have my questions, and, actually, as I mentioned in a previous post, I always have. If vendors were notified, and they blew it off..why? Why are the researchers that are involved refusing to be named? Why is there such secrecy behind it, and why has it been shelved for two years?

    Does this POC affect software that 3-letter intelligence agencies are using..are these researchers a part of these agencies? If POCs are publicly shown all the time regarding other security measures..why not for a virtualization app? Why is he waiting until after he unveils one of his products to talk more about or show this deadly POC? If this POC exists, and is this dangerous, it won't matter if it no longer works, the concept is there, and waiting until some stupid little privacy browser of his is unveiled to show us said concept is admittedly suspicious and really just wrong.

    Will this "Safehouse" be another "no other vendor is safe and/or does it right but us" type of deal that his VPN service seems to be? @Steve: I'm trying to be a bit nicer than the rest about this whole thing, because I've no clue about your particular circumstances. But, my advice, is that if you have this thing, it's time. It won't interrupt your getting Safehouse ready to upload a video here or at least provide a post with some further techie details. The more you drag this out and continue to talk about it, without showing more, the angrier the mob is going to get, and the more your credibility is going to take a beating. It's time.

    At the rest, if I end up being wrong about the guy, and he ends up being a marketing guy blowing a lot of hot air, I'll personally put a post in the appropriate place on the forum, dedicated to me admitting I was wrong and got fooled.
     
  12. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    Re: Will I be allowed to prove it?

    I would like to take a look and run this privately myself if you are willing. If you PM me and leave a download link to a neutral site (rapidshare, etc), include any instructions and the expected outcome, and I will gladly test the PoC.
     
  13. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Re: Will I be allowed to prove it?

    Trying to throw the mod under the bus isn't going to help things now. In reality, you brought the fire by talking about a POC you, if you want to get right down to it, evidently weren't supposed to talk about. If you want this to be out in the public, then what "terms" are you referring to? Posting live, malicious code here? They aren't going to do that, Steve. Some numbnut will decide to play researcher when they've no clue what they are doing, and then they'll blame Wilders, and, well, you surely see how all that will go down.
     
  14. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Sorry this has turned into a train wreck, lol. But to answer your questions as best I can. Yes, if you took that system off of your network, it wouldn't hurt your other systems. If you really want to start this testing, then yes, you do need to be aware that there are "sandbox-aware" malware out there that will sit quietly and twiddle its thumbs until it's out of the sandbox. And, yes, sandboxes and virtual environments have been compromised before. The very best thing you can do, if it can be done, is to use that old system for the lab work. Take it off the network, put your virtual environment on along with other security apps like of course AVs, anti-malwares, and, after making a clean image of the system and storing it outside of the test system, go to town on your testing.

    It is extremely important that you have a clean image to get back on your feet with, no matter what system you use for the tests. All security measures can fail, so you need to have that image tucked safely away and ready to go.
     
  15. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    I'm probably not the most appropriate one to step up in this discussion but wouldn't it be best for all, to take a time-out?
    Say, 48 hours and then continue with this thread?

    To be honest, if I understand correctly, the PoC mentioned by SteveTX was aimed at SBIE specifically.
    Not necessarily at all sandboxing/virtualization programs.
    I also remember SteveTX mentioning having informed Tzuk about this specific POC.
    So, the one vendor involved was actually informed (at least to a certain degree).
    Other security software vendors like McAfee and Symantec have also been named by SteveTX as in offering zero protection against this Mother of all Malware/MOAM PoC but afaik only SBie has been mentioned as being actually tested.

    I don't feel any need to defend SteveTX and no, I'm not one of the seemingly infatuated Xerobank customers. (I'm not a customer at all to be precise)
    The 'announcement' of this PoC hasn't been very 'Par for the course' and surely we all would like to see the evidence asap.
    But only in a responsible fashion I'd pressume so perhaps let's not let emotions get the better of ourselves?
     
  16. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,252
    Location:
    New England
    Re: Will I be allowed to prove it?

    No! No professional in the industry would EVER provide live malware samples to the general public. It is just not done, and you should know that.

    You want everyone to see that you have proof of super powered malware, then use you own forum to show it. And, if you should stop yourself, and realize that the threat of publicly providing live malware is damaging enough, versus actually doing it, then how about you give your PoC to a trusted third-party to review and test?

    I suggest Matousec. He and his group are already in possession of a huge arsenal of dangerous PoC code and they are trusted with it by a large portion of the industry. Further, whether people agree that his tests are actually real world or not, they do not doubt that he and his people are experts at exploits and bypasses. If anyone can handle that code both responsibly and with full understanding of it, it is Matousec. And you would not even have to "dust it off". Give Matousec the raw file you have and they'll be able to tell immediately what it is and what it can do.
     
  17. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I believe he said virtual environments, and, he also mentioned VMWare. As for "cooling off", I do believe that boat long has sailed, lol. It'll end one way or another soon enough. Either the proof will be shown and it'll be gone over with the finest-toothed comb you ever saw in your life...or it'll either be shown to not exist or be shown to not be a big deal.
     
  18. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    dw426,

    Mods should stay out of discussions, and definitely shouldn't be making accusations, because they speak with the authority of the forum.

    Peter made a bad move, and now needs to accept the consequences and be prepared to eat his words in the same fashion he gave them out.

    ----

    For those of you concerned about live malicious code, I'll provide an explanation of what the PoCs do. Most of them are harmless because there is no payload attached, but they are working exploits against Sandboxie. The main thing I think Peter was balking at was the 2009 PoC payload that could agnostically and undetectably destroy an OS, which I will also release.

    The sandboxie breakout is trivial, infact we discovered a sandboxie remote file disclosure and remote file deletion just this morning. Btw, remote file disclosure means a website can read files off your drive remotely, like your passwords/docs/photos. Remote file deletion bug we found destroys the sandbox and all data inside it.
     
  19. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,975
    Location:
    Boston, MA
    Has anyone received the code as of yet? I'm just curious. I'm enjoying the back and forth banter too much.
     
  20. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Re: Will I be allowed to prove it?

    LowWaterMark, this was my exact comment to Peter. I told him it was too caustic to release publicly. He privately demanded the code and threatened to ban me if I didn't provide it to him. I offered him fair terms under which he could test it so there was no bias and he declined, you can read my private messages with him, it is all there. But he refused and decided to call me a liar, and I'm happy to call his bluff.

    Don't let your mods write checks with your forum that you aren't prepared to cash.
     
  21. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,252
    Location:
    New England
    Re: Will I be allowed to prove it?

    Really? Pete "demanded" the PoC from you, and said he would "ban' you if you didn't give it to him? I'd really like to see the text of that message Steve, showing the demand and threat.

    Steve, as others have said above, you've brought all this on yourself. As I read your posts moving from page 1 and down page 2 of this thread, your claims for this PoC/exploit got bigger and bigger. By the middle of page 2, it was effective against all "Mac/Linux/Windows", thus people calling it now the ultimate malware or magical malware. How can you not expect people to call you on such a claim?

    Nothing in this thread is a smear on your reputation. It's simply people calling you to prove your claims and being scepticle when you bring up the reasons why you can't. So, my proposal to you stands... You want the world to see your exploit code and all its capability, then post it on your own forum, or, give it over to someone like Matousec.
     
  22. Hank88

    Hank88 Registered Member

    Joined:
    Dec 19, 2010
    Posts:
    16
    Location:
    B.C., Canada
    For the life of me, I can't figure out why this thread hasn't been locked-down yet.

    SteveTX is nothing but a Troll who likes to get attention, and with a thread like this, you're giving him exactly what he wants.

    You guys seem to like getting your Chain yanked.

    Ken:
     
  23. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Re: Will I be allowed to prove it?

    Request granted. Peter contacted me, said he wanted the code, and specifically referenced BSA_Buster's suggestion, which was having a mod present the ultimatum of providing the code and banning me if I refused.

    Having someone contact me to request the code would be one thing. Having someone who actually has banning power contact me and directly reference an ultimatum is different.

    I don't mind being called on such a claim. Infact multiple times I said I would be happy to provide video and the actual PoC when I've got time to load it up into a solid test environment.

    I'll disagree. I've got a mod publicly calling me a liar and challenging my integrity.

    Happy to. Have Matousec contact me.
     
  24. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I'm going to be staying out of this now since it's at the point where the Admin is getting involved. But, to reply to you, it's kind of a mods job to be involved, plus, just because they are the "overseers", doesn't mean they should stay in the background, especially if they have some insight into a discussion or experience in a particular topic. As far as Pete, well, the business between him and you is none of mine. But, from reading his post, he's not making any more serious of an accusation or has any more skepticism than others in this thread who haven't already spoken up. In all honesty, you seemed to be the first one to make public mention of a private conversation between you and Pete about the code, and calling him out.

    But anyway, I'll be sitting on the sidelines now watching unless I'm directly spoken to.
     
  25. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,252
    Location:
    New England
    Steve, PM links are not readable by other people. If they were, people could always read each others PM.

    So, are you saying Pete wrote that he'd ban you and Pete wrote that he demanded the PoC? Or, are you saying he happened to reference BSA_Buster's post in his PM exchange with you? That's not the same thing at all. BSA_Buster's post was a "let's have Steve put up, or shut up" type of statement. A legitimate request, as I see it.

    As for Matousec, it's your PoC... contact him yourself if you want to get the proof out there. You're in the industry, so use your contact info and get in touch with him. You raised all this in your posts in this thread, so, you see it through.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.