A malware defeating a Sandbox, a VM and an AV - Case Study

H

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,144
I found an interesting case on the net. It was in the year 2009. I have to assume the case is true.

Read here

Trojan checks for SandBoxIE presence? - Security | DSLReports Forums

Forum discussion: Damn, I knew there are trojans/rootkits checking if they're being started up inside a VM. Now it seems they can check if they're being run inside a sandbox too? I downloaded an executable from Usenet called &quote;inositol and anxiety disorder[Compress
www.dslreports.com www.dslreports.com

Apparently, the user ran SandboxieIE inside VMWare but the malware does nothing. Ran outside SB/VM and the trojan came alive. Likely to be a VM/SB-evading malware. NOD32 also detects nothing when the malware was ran outside the VM/SB environment.

To conclude

In that year in 2009 SB/VM likely not very robust/secure and the trojan signature wasn't updated in NOD32.

What’s the damage done?

Apparently, some privacy info being stolen and files being uploaded to ftp server

Quote from the link

Tuulilapsi

Member

2009-Jul-9 9:56 am

Sounds like the kind of simple and to the point malware that will fool quite a lot of people. Perhaps this is a nice case example of how software firewall outbound monitoring can sometimes be of quite a lot of use. I would expect that even many of the gullible folks would get suspicious if their firewall tells them that the archive file they just executed wants to connect to an FTP!

Unquote

A malware defeating a sandbox, a VM and an AV.

Do you think outbound monitoring by a firewall will help in this case? Can firewall prevent privacy info being exfiltrated?

How to prevent a malware from defeating 3 security apps (a sandbox, a VM and an AV/AM) in today's context say just ignore the outbound monitoring by a firewall? Add another security app? Like what in this case?
 
Last edited:
  • Like
Reactions: TRS-80, Nevi, roger_m and 6 others
F

ForgottenSeer 823865

The malware defeated nothing, it just detected it was in a VM/sandbox, probably by checking some specific DLLs and stay dormant until the user decide to move it outside. Nothing new there. Only people that blindly trust their isolation software will get fooled.
 
  • Like
  • Applause
Reactions: fabiobr, Mercenary, TRS-80 and 12 others
L

Local Host

Umbra said:
The malware defeated nothing, it just detected it was in a VM/sandbox, probably by checking some specific DLLs and stay dormant until the user decide to move it outside. Nothing new there. Only people that blindly trust their isolation software will get fooled.
Click to expand...
Agreed, a good chunk of malware does that VM check, but it didn't defeat the VM whasoever, it was user error as always that got him exposed (by running the malware outside VM).
 
  • Like
Reactions: Protomartyr, oldschool, DDE_Server and 2 others
H

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,144
Umbra said:
The malware defeated nothing, it just detected it was in a VM/sandbox, probably by checking some specific DLLs and stay dormant until the user decide to move it outside. Nothing new there. Only people that blindly trust their isolation software will get fooled.
Click to expand...
When the SB/VM fails to isolate the SB/VM - evading malware then the combo is seen as being defeated. Of course the other way of looking at defeat is the malware can cause damages running inside/outside the sandbox and VM
 
Last edited:
  • Like
Reactions: TRS-80, roger_m, oldschool and 3 others
H

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,144
Now I understand why @Lightning_Brian 's Security Config 2020 has Sandboxie, Shadow Defender and VMWare Workstation Pro with Norton Security Premium and VS Premium

malwaretips.com

Advanced Plus Security - Lightning_Brian's 2020 Security Config

Hello Everyone at MT! Hope everyone is having a great day! Here is my 2020 build. I keep fairly current without many changes compared to my last update from Nov. 2019. I will highlight some changes in the change log section so you can see what I have changed in the last few months. Let me know...
malwaretips.com malwaretips.com
 
Last edited:
  • Like
  • Thanks
  • Applause
Reactions: Mercenary, TRS-80, Lightning_Brian and 4 others
H

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,144
Umbra said:
Failing to isolate is if the said malware can jump from the isolated environment to the real system by itself. The only way i can see it happening is by memory abuse.
Click to expand...
Failing to isolate is because the malware detects the presence of a SB/VM. This is similarly true of those AV-evading malware. It means the security apps failed to do their job because that's what they are designed to do. The security app companies must find some ways to overcome this. You simply can't expect an AV company not to take action on AV-evading malware likewise for SB/VM companies

Yes, your explanation is also valid
 
Last edited:
  • Like
Reactions: Protomartyr and DDE_Server
F

ForgottenSeer 823865

HarborFront said:
Failing to isolate is because the malware detects the presence of a SB/VM. This is similarly true of those AV-evading malware. It means the security apps failed to do their job because that's what they are designed to do. The security app companies must find some ways to overcome this. You simply can't expect an AV company not to take action on AV-evading malware likewise for SB/VM companies
Click to expand...
You are missing the point, a sandbox or VM isn't made to detect a malware, it is not its scope, it is to prevent an isolated object (legit or malicious) to interact with the real system.
An AV is to detect malware whatever they are. This is not the job of a VM/sandbox.
in the past there was a sandbox bypass, where the malware really get out from the sandbox by itself.
This is not the case here.
 
  • Like
Reactions: ebocious, TRS-80, roger_m and 5 others
H

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,144
Umbra said:
You are missing the point, a sandbox or VM isn't made to detect a malware, it is not its scope, it is to prevent an isolated object (legit or malicious) to interact with the real system.
An AV is to detect malware whatever they are. This is not the job of a VM/sandbox.
in the past there was a sandbox bypass, where the malware really get out from the sandbox by itself.
This is not the case here.
Click to expand...

I never say the SB/VM is used for detection.

So you are saying that if there are many SB/VM-evading malware prevailing now the concerned companies are not going to take action on their part? Simply put it's your problem because their app is secure.

To reiterate

How to prevent a malware from defeating 3 security apps (a sandbox, a VM and an AV/AM) in today's context say just ignore the outbound monitoring by a firewall? Add another security app? Like what in this case?
 
  • Like
Reactions: oldschool and DDE_Server
F

ForgottenSeer 823865

HarborFront said:
I never say the SB/VM is used for detection.

So you are saying that if there are many SB/VM-evading malware the concerned companies are not going to take action on their part? Simply put it's your problem because their app is secure.
Click to expand...
What they can do? put an AV in their VM/sandbox? i dont think so...sandboxie tried with a BB for the corporate edition.
some apps like ReHIPS add a anti-exe on top to get more security, reason why i consider it the top sandbox at the moment.
The only measure they can do is to rename the dlls they use, so the malware can't detect it, but it won't last long since the malware writers will just adapt.
 
  • Like
Reactions: TRS-80, roger_m, Protomartyr and 4 others
H

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,144
Umbra said:
What they can do? put an AV in their VM/sandbox? i dont think so...sandboxie tried with a BB for the corporate edition.
some apps like ReHIPS add a anti-exe on top to get more security, reason why i consider it the top sandbox at the moment.
The only measure they can do is to rename the dlls they use, so the malware can't detect it, but it won't last long since the malware writers will just adapt.
Click to expand...
I'm not sure what the SB/VM companies can do on their part. However, I believe the AV companies can do more than just give excuses that those are AV-evading malware so not for their AV/AM to detect

So you think adding an anti-exe helps? What about using Voodoo Shield? Can ReHIPS and VS prevent privacy data exfiltration?
 
  • Like
Reactions: Protomartyr and DDE_Server
F

ForgottenSeer 823865

HarborFront said:
I'm not sure what the SB/VM companies can do on their part. However, I believe the AV companies can do more than just give excuses that those are AV-evading malware so not for their AV to detect
Click to expand...
that is AV vendors problem.

So you think adding an anti-exe helps? What about using Voodoo Shield? Can ReHIPS and VS prevent privacy data exfiltration?
Click to expand...
if exfiltration (aka call home) is made via an executed LOLbin, yes.
if fully memory-based abusing an already running process, no.
 
  • Like
Reactions: ebocious, TRS-80, Protomartyr and 4 others
H

HarborFront

Level 72
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,144
Outpost said:
In this case, the malware was executed voluntarily and manually outside the VM. We cannot speak of defeat. The VM was not beaten. If anything, the AV was "defeated"
Click to expand...
If now is the season of SB/VM-evading malware what are you going to do with the SB/VM if you have installed them?
 
  • Like
Reactions: DDE_Server
F

ForgottenSeer 823865

HarborFront said:
If now is the season for SB/VM-evading malware what are you going to do with the SB/VM if you have installed them?
Click to expand...
That is the concern of people that rely only on a sandbox/VM as main protection, which they shouldn't...

HarborFront said:
If you can stop the calling home then you can stop the malware action, no? That's where Adguard and BFP shines, right?
Click to expand...
i dont know for BFP, never used it, but Adguard is just an adblocker, it doesn't block processes unless they want reach a known malicious domain...
and if the domain is brand new one, which is often the case, then Adguard won't do much.
 
  • Like
Reactions: ebocious, TRS-80, roger_m and 6 others

Similar threads

Xeno1234
    • Like
Question Is running a stealer malware in a fresh VM safe?
Replies
35
Views
2,683
General Security Discussions
Xeno1234
Xeno1234
Amnesia
    • Like
Advice Request Decade old Firewall hardware, a huge security risk or beneficial under the right usage?
Replies
9
Views
354
General Security Discussions
simmerskool
simmerskool
Xeno1234
    • Like
    • Applause
Serious Discussion How to set up a safe environment for Malware Testing
Replies
18
Views
1,464
General Security Discussions
ForgottenSeer 97327
F

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top