A malware defeating a Sandbox, a VM and an AV - Case Study

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
I found an interesting case on the net. It was in the year 2009. I have to assume the case is true.

Read here


Apparently, the user ran SandboxieIE inside VMWare but the malware does nothing. Ran outside SB/VM and the trojan came alive. Likely to be a VM/SB-evading malware. NOD32 also detects nothing when the malware was ran outside the VM/SB environment.

To conclude

In that year in 2009 SB/VM likely not very robust/secure and the trojan signature wasn't updated in NOD32.

What’s the damage done?

Apparently, some privacy info being stolen and files being uploaded to ftp server

Quote from the link

Tuulilapsi

Member

2009-Jul-9 9:56 am

Sounds like the kind of simple and to the point malware that will fool quite a lot of people. Perhaps this is a nice case example of how software firewall outbound monitoring can sometimes be of quite a lot of use. I would expect that even many of the gullible folks would get suspicious if their firewall tells them that the archive file they just executed wants to connect to an FTP!

Unquote

A malware defeating a sandbox, a VM and an AV.

Do you think outbound monitoring by a firewall will help in this case? Can firewall prevent privacy info being exfiltrated?

How to prevent a malware from defeating 3 security apps (a sandbox, a VM and an AV/AM) in today's context say just ignore the outbound monitoring by a firewall? Add another security app? Like what in this case?
 
Last edited:
F

ForgottenSeer 823865

The malware defeated nothing, it just detected it was in a VM/sandbox, probably by checking some specific DLLs and stay dormant until the user decide to move it outside. Nothing new there. Only people that blindly trust their isolation software will get fooled.
 
L

Local Host

The malware defeated nothing, it just detected it was in a VM/sandbox, probably by checking some specific DLLs and stay dormant until the user decide to move it outside. Nothing new there. Only people that blindly trust their isolation software will get fooled.
Agreed, a good chunk of malware does that VM check, but it didn't defeat the VM whasoever, it was user error as always that got him exposed (by running the malware outside VM).
 

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
The malware defeated nothing, it just detected it was in a VM/sandbox, probably by checking some specific DLLs and stay dormant until the user decide to move it outside. Nothing new there. Only people that blindly trust their isolation software will get fooled.
When the SB/VM fails to isolate the SB/VM - evading malware then the combo is seen as being defeated. Of course the other way of looking at defeat is the malware can cause damages running inside/outside the sandbox and VM
 
Last edited:

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Now I understand why @Lightning_Brian 's Security Config 2020 has Sandboxie, Shadow Defender and VMWare Workstation Pro with Norton Security Premium and VS Premium

 
Last edited:

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Failing to isolate is if the said malware can jump from the isolated environment to the real system by itself. The only way i can see it happening is by memory abuse.
Failing to isolate is because the malware detects the presence of a SB/VM. This is similarly true of those AV-evading malware. It means the security apps failed to do their job because that's what they are designed to do. The security app companies must find some ways to overcome this. You simply can't expect an AV company not to take action on AV-evading malware likewise for SB/VM companies

Yes, your explanation is also valid
 
Last edited:
F

ForgottenSeer 823865

Failing to isolate is because the malware detects the presence of a SB/VM. This is similarly true of those AV-evading malware. It means the security apps failed to do their job because that's what they are designed to do. The security app companies must find some ways to overcome this. You simply can't expect an AV company not to take action on AV-evading malware likewise for SB/VM companies
You are missing the point, a sandbox or VM isn't made to detect a malware, it is not its scope, it is to prevent an isolated object (legit or malicious) to interact with the real system.
An AV is to detect malware whatever they are. This is not the job of a VM/sandbox.
in the past there was a sandbox bypass, where the malware really get out from the sandbox by itself.
This is not the case here.
 

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
You are missing the point, a sandbox or VM isn't made to detect a malware, it is not its scope, it is to prevent an isolated object (legit or malicious) to interact with the real system.
An AV is to detect malware whatever they are. This is not the job of a VM/sandbox.
in the past there was a sandbox bypass, where the malware really get out from the sandbox by itself.
This is not the case here.

I never say the SB/VM is used for detection.

So you are saying that if there are many SB/VM-evading malware prevailing now the concerned companies are not going to take action on their part? Simply put it's your problem because their app is secure.

To reiterate

How to prevent a malware from defeating 3 security apps (a sandbox, a VM and an AV/AM) in today's context say just ignore the outbound monitoring by a firewall? Add another security app? Like what in this case?
 
F

ForgottenSeer 823865

I never say the SB/VM is used for detection.

So you are saying that if there are many SB/VM-evading malware the concerned companies are not going to take action on their part? Simply put it's your problem because their app is secure.
What they can do? put an AV in their VM/sandbox? i dont think so...sandboxie tried with a BB for the corporate edition.
some apps like ReHIPS add a anti-exe on top to get more security, reason why i consider it the top sandbox at the moment.
The only measure they can do is to rename the dlls they use, so the malware can't detect it, but it won't last long since the malware writers will just adapt.
 

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
What they can do? put an AV in their VM/sandbox? i dont think so...sandboxie tried with a BB for the corporate edition.
some apps like ReHIPS add a anti-exe on top to get more security, reason why i consider it the top sandbox at the moment.
The only measure they can do is to rename the dlls they use, so the malware can't detect it, but it won't last long since the malware writers will just adapt.
I'm not sure what the SB/VM companies can do on their part. However, I believe the AV companies can do more than just give excuses that those are AV-evading malware so not for their AV/AM to detect

So you think adding an anti-exe helps? What about using Voodoo Shield? Can ReHIPS and VS prevent privacy data exfiltration?
 
F

ForgottenSeer 823865

I'm not sure what the SB/VM companies can do on their part. However, I believe the AV companies can do more than just give excuses that those are AV-evading malware so not for their AV to detect
that is AV vendors problem.

So you think adding an anti-exe helps? What about using Voodoo Shield? Can ReHIPS and VS prevent privacy data exfiltration?
if exfiltration (aka call home) is made via an executed LOLbin, yes.
if fully memory-based abusing an already running process, no.
 

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
In this case, the malware was executed voluntarily and manually outside the VM. We cannot speak of defeat. The VM was not beaten. If anything, the AV was "defeated"
If now is the season of SB/VM-evading malware what are you going to do with the SB/VM if you have installed them?
 
  • Like
Reactions: DDE_Server
F

ForgottenSeer 823865

If now is the season for SB/VM-evading malware what are you going to do with the SB/VM if you have installed them?
That is the concern of people that rely only on a sandbox/VM as main protection, which they shouldn't...

If you can stop the calling home then you can stop the malware action, no? That's where Adguard and BFP shines, right?
i dont know for BFP, never used it, but Adguard is just an adblocker, it doesn't block processes unless they want reach a known malicious domain...
and if the domain is brand new one, which is often the case, then Adguard won't do much.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top