A malware defeating a Sandbox, a VM and an AV - Case Study

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
That is the concern of people that rely only on a sandbox/VM as main protection, which they shouldn't...


i dont know for BFP, never used it, but Adguard is just an adblocker, it doesn't block processes unless they want reach a known malicious domain...
and if the domain is brand new one, which is often the case, then Adguard won't do much.
I believe Adguard and BFP (and others like Blokada) work similarly and that is blocking untrusted known servers e.g. FB, Google etc I doubt they can block anything from untrusted unknown servers e.g. a rogue individual running his own server unless you block his IP address......that comes later
 
F

ForgottenSeer 69673

Sadly, a firewall, unless it has some kind of IDS/IPS/traffic analysis, won't do much if the connection is made by an abused legitimate process.
fort knox does have a IPS along with many other things, like antispoofing, can make own rules .https://www.netgate.sk/content/view/18/41/
 
  • Like
Reactions: TRS-80
L

Local Host

Claiming the malware defeated the VM in this situation, is the same as claiming a thief defeated your alarm, after you disabled it.

As for HarborFront opinion, is the same as claiming your alarm was defeated cause the thief saw it and refused to even try to enter your house.

Both ridiculous, as in both situations the alarm (VM) worked as intended.
 

Digmor Crusher

Level 23
Verified
Top Poster
Well-known
Jan 27, 2018
1,236
Pff, I test malware in a VM with Sandboxie using Shadow Defender and Rollbck RX, as far as I know nothing has got past it, however I am not sure as everytime I do a test my computer blue screens and i have to reinstall Windows. But I am 10 for 10, nothing has infected me yet.
 

Lightning_Brian

Level 15
Verified
Top Poster
Content Creator
Sep 1, 2017
742
Now I understand why @Lightning_Brian 's Security Config 2020 has Sandboxie, Shadow Defender and VMWare Workstation Pro with Norton Security Premium and VS Premium


Yeah I take security to a whole new level! haha Yeah call me a little quirky or goofy, but I take things mighty seriously - that is for sure. I lock down all possible avenues when testing stuff. That is why I also have a unique and "my own" backup method using multiple backup software for various reasons. I can back out of whatever mess may be created when testing stuff fairly easily.

Thank you for understanding why @HarborFront !!

~Brian
 

Outpost

Level 5
Verified
Well-known
Jan 11, 2020
220
Pff, I test malware in a VM with Sandboxie using Shadow Defender and Rollbck RX, as far as I know nothing has got past it, however I am not sure as everytime I do a test my computer blue screens and i have to reinstall Windows. But I am 10 for 10, nothing has infected me yet.

In the specific case, using all the SW together would have been useless. The malware was voluntarily executed in the Host machine because it did not "work" in the Guest.
 
  • +Reputation
Reactions: TRS-80
F

ForgottenSeer 823865

To be honest, for testing, nothing is better than a real system. You can find refurbished machines very cheap.

About jumping to the host, there is some exit routes for the malware like memory bug corruption, TCPIP, if the host memory space is a accessing the guest one, etc...
Note that full software virtualization are more susceptible to escapes, reason I never recommended using light virtualization for malware testing.

As I pointed above, networking between host and guests is another exit route, as well as some VM tools/features made for host-guest intercommunications.

And of course, dedicated exploits are possible like the old Cloudburst.

Even if all those situations are uncommon, they still exist, hence if you are really serious about malware testing, investing some bucks in a spare machine is way more efficient than any VMs.
 
Last edited by a moderator:

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
Pff, I test malware in a VM with Sandboxie using Shadow Defender and Rollbck RX, as far as I know nothing has got past it, however I am not sure as everytime I do a test my computer blue screens and i have to reinstall Windows. But I am 10 for 10, nothing has infected me yet.

That doesn't sound like a smooth testing procedure if you need to reinstall Windows each time!
 

roger_m

Level 41
Verified
Top Poster
Content Creator
Dec 4, 2014
3,014
I presume that an issue with testing using a VM, is cases like this where malware detects the VM and then doesn't do anything malicious. If the malware is not detected by signatures, then I guess the behaviour blocking will miss it as it fails to do anything suspicious. This would lead to different test results for tests done on VMs and real Windows installs.
 

jogs

Level 22
Verified
Top Poster
Well-known
Nov 19, 2012
1,112
Malware makers are very clever people, very soon they will find some loopholes in VMs and start to exploit it.
I think every kind of software can be breached, some just take lot of work to be defeated. Just my opinion.
 
F

ForgottenSeer 823865

Malware makers are very clever people, very soon they will find some loopholes in VMs and start to exploit it.
I think every kind of software can be breached, some just take lot of work to be defeated. Just my opinion.
They already found several. But those are mostly use to target corporations.
 

TRS-80

Level 1
Aug 16, 2019
46
@Local Host

Nice to see honeypots get a mention.

To Everyone,

Excellent to see a good, robust discussion carried out in such a refined manner. It's certainly provoked some interesting lines of thought and, logic.

Back in the correct time frame(2009,) as some have mentioned, this type of infector was far less common and the flow on effects poorly understood. By today's standards, anyhow.

I am forced, by my own peculiar logic, to believe, given the above, unleashing such malware on a wide open system, somewhat reckless. For the stated time frame, in my humble opinion.

Interesting initial posting! Great discussion!

Like me, the original case is now somewhat old.

Cheers All,

@TRS-80 🍺
 
F

ForgottenSeer 823865

Most companies use honeypots, not VMs, VMs weren't created to mitigate malware.
i will add:

Yes, VMs weren't created to mitigate malware, the original purpose was to permit uses of applications on incompatible devices, test applications, to reduce cost of buying new hardware, improve performances on servers, etc...
Yes, Honeypots are used to misdirect attackers from the real sensitive areas of the network to the dummy ones.

However, VMs can also be used with several security purposes:
- provide "backup" solutions in case of disaster, this is the most common use.
- providing a user's device access to network resources while protecting the datas (example: virtual desktops).
- provide mobile employees the same working environment when outside the company.
- etc.., etc...,

Usage of VMs as malware mitigation option was more a side-effect than a real purpose.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top