Hi.

For second time I have found a malware that in specific conditions (very common) is able to bypass Sandboxie.

I have tested the vulnerability with Sandboxie 3.39.07 (latest beta) and I can reproduce the leak in a consistent basis.

I´m working already with tzuk to get the problem solved as soon as possible.

Sounds, good, and that's why I don't rely on Sandboxie alone. What Sandboxie misses, will be picked up by Defense+ (classical HIPS). I just can't stress how good this combination works.

By the way, care to share a bit more detail on how Sandboxie was bypassed? Please PM me the malware samples or technique. I'd like to test it in my sandboxed VM haha.

Under VM (VMWare) I was unable to reproduce the leak. I think this happens because the malware is aware of the virtual machine.

As usual all the information related to the hole will be kept in private and as soon as the problem is solved (if there is something to solve... still waiting for tzuk´s reply to agree about my findings) tzuk will decide what information he wants to share.

If possible, I would like to take a look at the sample's behavior as well. Thanks in advance.

Wow, sounds like very very smart malware...I've never heard of malware being able to be aware of the virtual machine and not leak out because of that.

By the way, I use VirtualBox, so maybe I'll be able to reproduce the leak.

Malwares aware of virtual machines or sandboxing techniques just stop execution when they detect they are being executed under such environments.

I wonder how they tell they are being run in a virtual machine.

Also, are you just running Sandboxie? Are you running anything else?

If you google a bit you will find many sites commenting about virtual machine detection.

Yes, I´m running only Sandboxie.

Interesting. Anyway, sounds like you might want to add a classical HIPS mate - perhaps that would have solved your problem?

Hi Buster,

One question here. Can this malware be stopped with hardware-enforced DEP?

DarthTrader

So far I've not been able to get infected through Sandboxie. I guess I'll have more to say when I hear back from Buster.

tzuk has been testing under Virtual PC and he was unable to reproduce the leak.

As I commented, I´m pretty sure the malware is aware when it´s being run under a virtual machine and that would explain why tzuk failed to confirm the leak.

Even running inside virtual machines the malware´s behaviour is different. Meanwhile under VMWare I´m unable to infect the system when I run the malware normally (no Sandboxie), tzuk under Virtual PC is able to infect the system when he runs the malware normally.

tzuk didn´t try the malware in a real system so we need people that are not afraid of testing the malware under a real system to confirm the leak. The malware can be removed in 2 minutes very easily. I would explain to testers how to remove the malware.

I would prefer people not running additional security applications, like Deep Freeze, because the malware could be aware of that kind of applications and change it´s behaviour.

Resuming: We need people that run the malware in a real system under Sandboxie, and without any other security apps.

Any volunteers to test the leak?

I don´t know, sorry.

How to check that?

First, download and run this utility and tell us what you see. My CPU does not have any of the desired security features, so I cannot tell you what to look for if DEP is triggered. Someone with a more modern CPU will have to tell both of us.

Edit: Link
http://www.grc.com/securable.htm

Hi Buster,

send me a PM, I will test it on a native system. Send me a download link and your instructions how to remove it after testing.
I'm just running Sandboxie 3.39.07 and Avira Premium Security Suite 9.

Yes, I know what I'm doing. You will not be responsible for any damages or whatever.