Studying Malware in a Virtual Machine - Dangers, Precautions

I do not understand all this discussion.

Who said that virtual machines or sandboxies (and their host machines) are invulnerable from attacks? They are not. Examples of older fixed vulnerabilities
(one of sandboxie and one of vmware):

http://www.sandboxie.com/index.php?VersionChanges#v_3_40

http://www.vmware.com/security/advisories/VMSA-2009-0006.html

Having said that I am far more confused by Steve's attitude about releasing an old poc that was fixed by either an OS security update or by the security program update, what exactly will prove?
- That your new, to be released, product is more secure on that unpatched OS, or that is better than an older version of a competitors program?

Panagiotis

 

No need to make a false dichotomy, Buster. I've repeatedly said we had a breakout against the sandboxie that was most current (3.34/3.36) at the time of the attack (April 2009). It wouldn't have been possible to have one against the current Sandboxie because Sandboxie 3.54 didn't exist back in April 09.

Don't be so obtuse, limiting the definition "failure" of a security application to a single specific activity isn't accurate at all. Making it do something that violates the user's conceptual level of trust is much more accurate for calling something a bug, especially if it discloses sensitive information or isn't excluded in the threat model.

Forget breakouts for a minute. I'll give you an example of how a chained attack, using components only inside the sandbox, would work. You just have to be creative:

Local or Remote Write to Inside of Sandbox

It's only in the sandbox, so it's harmless right? Maybe not. It sits and patiently waits and every time you download a file into the sandbox, it appends itself to the file. Then when you have downloaded a file and are ready to export it, it escapes out of the sandbox and gets executed by the user.

Or how about a Remote Delete like I showed you we found today. Let us say the user downloads a application or module into the Sandbox. Remote delete allows us to potentially remove security/protection components from the application you just downloaded. Whoops!

I think I have an idea on how we can make this a fair stake: If we prove the PoC from 2009, you admit defeat and leave Wilders forever. How does that strike your fancy?

MarkedManner,

You've taken all the links out of context and omitted the most relevant one. I am demonstrating the progression of malware development in response to sandboxing / vm technology. Follow along:

0. Malware becomes aware it is in a Sandbox or VM
1. Malware breaks out of Sandboxing environments
2. Malware breaks out of VM environments
3. Malware becomes fully virtualized and attacks its Host OS from inside the VM.

Malware doesn't become less intelligent, it becomes more intelligent. This is why relying on old techniques will not continue to work, and will have an increasing probability of catastrophic failure. It has happened, and will happen again.

In this case, back in 2009, using the default configured sandboxie on a windows OS, we chained a breakout attack with a vm payload that destroyed the entire drive by writing zeros across the whole thing. This was put together in no time at all, imagine if someone was motivated. Sure, sandboxie is more secure today, but so are malware designers, and they are obviously increasingly aware of people using sandboxes and VMs.

Because sandboxing applications or running them inside VMs is the way of the future, eventually designing vm and sandbox breakouts/piggyback attacks will become a standard malware infection procedure.

 

The 2009 PoC had a payload that is caustic because it is a virtualized malware. In specific, it would reverse-mount the host OS's drive in raw mode, not caring what OS it was running on, and start writing zeros across the drive, destroying it.

 

"A critical vulnerability in the virtual machine display function might allow a guest operating system to run code on the host."

Interesting I wonder if there is any known exploit of this? I realize its an older version of VM Player but just curious.

Good point if the hole has been patched in Sandboxie why not just release the code. What is the harm?

 

On march 15th, less than 15 days ago, you wrote:

"sandboxie is moderately strong, but if it comes up against smarter or stronger malware, it severely fails."

The only way Sandboxie can fail is if it´s unable to prevent a sandboxed application from writing to real disk. As you didn´t reply my question I will repeat it again:

Do you have currently a working PoC that proves you can write to real disk?

Sandboxie, as security application, has only one specific activity: prevent sandboxed applications from writing to real disk. So limiting the definition of "failure" to that is exact and fair, you accept it or not.

Even if with its default settings Sandboxie has not been designed to prevent the disclosure of information, by popular demand Sandboxie got methods to get such behaviour.

If someone wants to prevent the disclosure of information he/she just needs to go to Sandboxie Control > Sandbox > Sandbox Settings > Restrictions > Internet Access > Select "Block all programs". Or could deny access to folders with sensitive information. Or could deny the execution of applications not allowed to run, or ...

As simple as that. But Sandboxie doesn´t do that by default because Sandboxie in its concept is used to prevent writes to real disk. If it has other features is because Sandboxie´s users demanded them.

* I told you several times in this thread that I found 2 holes in Sandboxie in the past.

The question is not if Sandboxie or any other security product was vulnerable in the past. The real deal is: Is Sandboxie vulnerable right now? Could you prove is vulnerable in its last official release?

Obviously you are simply trashtalking Sandboxie using a 2 years old hole that has been fixed already and you should be banned for such behaviour.

 

MarkedManner, here was the doc you couldn't reach:

 

Understand you are showing the progression in these papers which offer no POC but theory on what could happen.

I guess we will see.. I think sandbox software is becoming very popular so much so that as you mentioned that some malware writers have started writing malware that is VM-aware. (Not common but I am aware of malware that does this personally.) So if they are making malware that is VM-aware which the point is to get a person to run malware on there live system to infect it. What does that say? To me that says it must be virtually impossible or extremely difficult to craft a piece of malware that would bypass VM or Sandboxie for that matter. Otherwise why mess with making malware VM-aware? Why not just make malware so that when its executed in VM its payload is executed on the host system or outside Sandboxie. I am totally aware of VM-aware malware but not VM bypass malware.

 

The problem for you is that such claim has to face the fact that in the last year (at least) nobody has been able to bypass Sandboxie. That´s a fact you can not prove wrong, can you?

* when everybody here knows Sandboxie is not a firewall.

Or things like:

"It's only in the sandbox, so it's harmless right? Maybe not. It sits and patiently waits and every time you download a file into the sandbox, it appends itself to the file. Then when you have downloaded a file and are ready to export it, it escapes out of the sandbox and gets executed by the user."

When you take a file out of the sandbox you know you are exposing yourself to a risk. It´s up to the user to do that and it will not be at all a fail of Sandboxie if something happens.

*

 

So there must be a shared folder between the Host and VM. So the exploit only works on a VM that is not configured securely. I can totally understand how the host could get infected then. I def have no shared folders on my VM. As I said and will repeat I have yet to see a piece of malware that will defeat a properly configured VM or Sandboxie.

 

He doesn't of course.. and all he has currently is malware that if ran in the sandbox will modify/delete files in the sandbox.. Not really sure what that proves..

 

Thanks, but you didn't really responded to my question. Posting a video or the binary about a PoC of an old fixed(?) vulnerability what exactly will prove?

-http://seclists.org/-
-http://lists.grok.org.uk/pipermail/full-disclosure/-

Panagiotis

 

Wait, wait, wait... I start to understand now what´s going on here.

"XeroBank's vpn protects anonymity, and in this specific case, ajax won't be able to compromise your ip anonymity because all traffic will exit through the vpn. For protection against malware and evil application, we will be releasing safehouse which sandboxes everything between you and the internet."

https://www.wilderssecurity.com/showpost.php?p=1828110&postcount=593

That explains everything, at least for me.

SteveTX: I´m afraid the behaviour you showed in this thread is not the right way to get a pice of the cake.

 

Correct.

Incorrect. Sandboxie can fail in any way it is officially claimed to operate that can be exploited to circumvent the application's objective: prevent writing outside of sandboxie.

You have to actually educate your users about what you shouldn't do, and one of the things they shouldn't do is actually suggested right on the sandboxie homepage.

We currently have a PoC the proves we can break out of Sandboxie 3.34 and write to a real disk in the 2009 environment. I never claimed a current breakout attack, we haven't devoted any time to sandboxie in two years. Strawman claims don't become you.

It's okay to admit you didn't understand, and that the PoC works in exactly the way i said, and that my original claim that running malware in sandboxes/VMs is a bad idea.

You're reducing the scope of the Sandboxie to it's activity and attempting to exclude the claims Sandboxie makes. As I've stated multiple times in this thread and two years ago, Sandboxie's vulnerability isn't it's activity, it is the claims:

We professionally perform bugfinding services, because bug hunting takes time and therefore costs money. You're probably convinced by now that we did infact defeat Sandboxie in 2009 in a few hours. So with those credentials, you can pay us to find you another bug, but we don't work for free. A trivial 0-day bug usually costs between $700 and $1500, a specific and exotic bug, like a sandbox breakout attack, would probably cost about $3k to $10k. A VM breakout attack, like on VMWare, might cost around $25k to $30k.

I don't care a whit about sandboxie, I care about are the misleading claims that are made by it in the specific context of running malware inside sandboxes and VMs which is the only thing relevant in this thread, and you keep trying to make it personal. I keep telling you the exploit is not relevant, the vulnerability is, and you keep missing that either through willful ignorance or intellectual dishonesty.

I've remained exceptionally reserved in the face of a pitchfork mob, and called a privileged user to task when called a liar. Only those trying to defend the "honor" of sandboxie are the ones resorting to underhanded techniques like ridiculous accusations, strawman claims, ad hominems, calls for bans, extortion demands, and more. You may want to re-evaluate your ideas of what behavior results in a ban.

I've said everything I have to say, and I'll provide the PoC we made as promised at the time I promised. I won't be responding to any other posts in this thread untiil the PoC is released. Ciao

 

Ok, then show us a smart or strong malware which is able to make Sandboxie to severely fail, please. Of course, to make it fail in its current version, not a 2 years old version.

The rest of your post is just blah blah blah if you are unable to show that.

Who cares about a 2 years old PoC that has been fixed already? Or who cares right now about the 2 holes I found in Sandboxie 2 years ago?

Not me at least. I´m only interested in vulnerabilities in last official release.

 

So we can say that the incoming XeroBank´s safehouse will severely fail, right?, because it´s just a question of money and of finding someone that puts the money to find the bugs.

You are not going to sell much if you announce your product like a buggy and vulnerable piece of ~ Snipped as per TOS ~.

Don´t worry, when you annouce the release of the software I´ll be there to quote your own words.

mwhahahahaha!

 

A couple of things -

Tzuk must be aware of the specifics of the 2009 POC, if he was contacted, so he "could" vouch for what's been stated, or not.

Sandboxie: downloads won't stay in sandbox - https://www.wilderssecurity.com/showthread.php?t=295508 - I'm not saying this is definately related to STX's POC, but it "might" be a current vulnerability which "possibly" could be used as a breakout vector, and therefore used in conjunction with a payload etc ?

 

Tzuk is a member, so why not let him respond.

Actually Steve may very well be right on a couple of points.

 

Pay you to trash talk? You'd be a trillionaire by now. Lets just say that after the little circus show you played out here, Safehouse is on everyone's ~ Snipped as per TOS ~. How can we trust an incompetent and envious salesman to provide a product worth a damn?

And no one cares about your warm steaming pile of claims. You made it clear that you had an irrational hatred of Sandboxie. How the hell, someone pays you to be a security expert - when you don't even know the basics of what sandboxes are meant for - is beyond me.

Steve thinks he's a genius because he's describing a 2 year old imaginary POC that he never released at the time (because it doesn't exist) that relied on kernel exploits of a 7 year old, outdated service pack. Whatever happened to the 2 new exploits he found... just this morning!! holy cow!!!! this guys on the roll. What about the extraterrestial malware that can disassemble and obliterate every OS ever made by man? A virus that is not only capable of bypassing sandboxes and VMs but is also capable of destroying your computer, causing it to spotaneously combust, wipe out all magenetic writable media within a 10 mile radius and kill your dog all at the same time!!!111

There are some days when people are stressed out from problems in their life and or forget to take their meds. But that doesn't give them the right to trashtalk and take it out on everyone that questions the fairtytales they spew on here. Yes Steve I'm lookin at you... And wipe that smirk off your face now . Spreading false rumors in the first grade might have been ok and funny, but slandering people in business world will get you in deep crap where every word that is spoken is taken seriously.

 

I have not called anyone names here or attacked anyone. I personally do not believe ANY piece of security software is 100% secure. My entire point though is that I have yet to see a SINGLE piece of malware that will bypass a PROPERLY configured VM or Sandboxie. Every example of a bypass I have ever seen depends on something not configured securely. Like the example Steve gave here: Steve claims "sandboxie is moderately strong, but if it comes up against smarter or stronger malware, it severely fails." But where is this malware? I have never seen it in the wild. That is all I have to say and will be looking for the POC to be released when Safehouse does. Even though I am not sure why it has to wait until then especially since the claimed POC is from 2009 and has since been fixed.

 

Everyone is ok with the idea of software being bypassed. But we are not ok with rumors and theories without any evidence whatsoever.

I think the reason he's posting it on his forum is to increase his daily visitor count of 2 hits.

 

Lets take a look, shall we?

Unsupported statement. No technical information given.

Outrageous claim. I've never seen a single exploit work across all 3 platforms. No evidence supporting it. No proof of concept, no technical information

You said it was a persistent threat... this implies an ongoing security concern, then you plug your product. No evidence, no technical information, no proof of concept. Nothing.

You state the attack can't be prevented and its inherent in the OS. You state you can't release the PoC because its too devastating. No technical information, no PoC, etc. etc.

You mention multiple PoC's that are working against Sandboxie. You say bypassing the Sandbox is trivial. No technical information, no PoC supplied, etc.

Again citing multiple PoC's... No technical information, more vague claims.

You only agree to test an old PoC (2 years old) on an operating system version (SP2) that is almost 4 years out of production. Its a long way from a currently devastating PoC that is OS agnostic. You still have provided no technical data nor any code from your PoC. Even one that is technically irrelevant from a security standpoint.

You falsely imply you made a new discovery and pass it off as a security vulnerability. Both "discoveries" are plainly stated in the FAQ at sandboxie.com. Neither is outside the normal operating procedure of Sandboxie, and nothing needs to be done for this occur. Both occur naturally, every single time you use the sandbox. In other words, you've done nothing other than show us that you don't even understand how the technology is supposed to work.


In summary:

Steve, if you look at all of this, can you honestly say that the community has acted unreasonably? Take a look at everything you've said. You've made outrageous claims and you still have not shown proof of any code produced by yourself that bypasses sandboxie... at any time.

You've implied sandboxie is easily bypassed, that you have multiple working PoC's, and have made several other unsupported or disingenuous claims.

I think you are lucky you haven't been perm banned already. You've said a lot of crazy things in this thread, and to this date have not produced a single shred of evidence to support any claim you've made. You've made vague statements and silly statements in a room full of security experts.

This has nothing to do with people defending Sandboxie. Its a powerful product, but it is not impenetrable. Certain kernel vulnerabilities can bypass Sandboxie, and there are probably yet to be found 0-day exploits. Most of us know this. However, your claims have been extraordinary, and of little substance.

What you are seeing here is a group of security professionals calling out someone who appears to be dishonest and trolling to market his own product. This is shameless behavior and can not be tolerated. Its like you are trying to sell a line of BS to people who understand this aspect of security far better than you. Considering what you've said, I think you have dug your own hole. This is why everyone is calling for you to be banned. I agree with them. I think the mods would be crazy if they didn't at least temp ban you.

 

And just as an FYI, crafting malware after the fact against a 2 year version gives no credibility.

Resorting to the exploitation of an old vulnerable system kernel earns you a big fat zero in my book. It has been said by Tzuk and other experts numerous times, that kernel exploits are rare but could cause a breach of all security software on the platform. But just like priviledge escalation exploits these too are quickly patched by MS. So you either demonstarte a working POC against the most current version on a fully patched current OS or just beat it

As for VMs, the only possible way that real security researchers found for a theoretcial breach was through the shared folder feature. This isn't a problem because of three factors:

1- Such exploits are small in number and frequency and patched quickly.
2- You could set shared folders between guest and host as read-only
3- Shared folders are disabled by default in Vbox, making it foolproof out of the box.

As VMs rely on a spearte hypervisor than the host's kernel, they are safe from kernel exploitation of the guest OS.


I said it a hundred times already and I'll say it again: WITH NO CODE, NOTHING YOU SAY MATTERS.

 

Hey there, markedmanner. I'm not aware of nor have a single POC myself, no.

@SteveTX...it's about time you hushed. I don't mean it in a rude manner, but every post you make is digging a deeper and deeper hole. I sincerely hope this "promised time" still isn't after you've released your "Safehouse", which, if I understand right, is a sandboxed browser/app itself...that would look eh, really screwy. You know, you talk about people leaving Wilders forever if you're right, and despise being called names and such (by the way, toughen up, people get called out and insulted here pretty darn often, usually over things far more trivial than your doomsday device), but, if you want your proof to be seen and to have redemption, you have to make the step. Nobody else is going to put you in contact with this and that researcher, or pay you money to test further and what have you. You made the claim, everything is on you at this point. I've said my peace on this as well now.

-edit-

Wait, I'm certain this will go down as a stupid question, but, if this thing can take down virtual environments..what about Chromes sandbox? Has anyone busted through Comodos' sandbox? Avasts' (Avast may not be fair, it's new, but it seems a fair question to ask). If it can break out of the likes of VM and Sandboxie, surely these other sandboxes are either much more easily busted open or at least on par in difficulty. I'm not trying to throw more another match into the blazing inferno this thread has become, I'm simply curious.

 

Shouldn't all of this discussion about SteveTX's incredible "destroys every OS, SB, VM, but only on 2009 environments" claims be on a separate thread?

 

Only StevieBoy's Safehouse is immune.