Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
A malware defeating a Sandbox, a VM and an AV - Case Study
Message
<blockquote data-quote="HarborFront" data-source="post: 859871" data-attributes="member: 55987"><p>I found an interesting case on the net. It was in the year 2009. I have to assume the case is true. </p><p></p><p>Read here</p><p></p><p>[URL unfurl="true"]https://www.dslreports.com/forum/r22677694-Trojan-checks-for-SandBoxIE-presence[/URL]</p><p></p><p>Apparently, the user ran SandboxieIE inside VMWare but the malware does nothing. Ran outside SB/VM and the trojan came alive. Likely to be a VM/SB-evading malware. NOD32 also detects nothing when the malware was ran outside the VM/SB environment.</p><p></p><p>To conclude</p><p></p><p>In that year in 2009 SB/VM likely not very robust/secure and the trojan signature wasn't updated in NOD32.</p><p></p><p>What’s the damage done?</p><p></p><p>Apparently, some privacy info being stolen and files being uploaded to ftp server</p><p></p><p>Quote from the link</p><p></p><p>Tuulilapsi</p><p></p><p>Member</p><p></p><p>2009-Jul-9 9:56 am</p><p></p><p>Sounds like the kind of simple and to the point malware that will fool quite a lot of people. Perhaps this is a nice case example of how software firewall outbound monitoring can sometimes be of quite a lot of use. I would expect that even many of the gullible folks would get suspicious if their firewall tells them that the archive file they just executed wants to connect to an FTP!</p><p></p><p>Unquote</p><p></p><p>A malware defeating a sandbox, a VM and an AV.</p><p></p><p>Do you think outbound monitoring by a firewall will help in this case? Can firewall prevent privacy info being exfiltrated? </p><p></p><p>How to prevent a malware from defeating 3 security apps (a sandbox, a VM and an AV/AM) in today's context say just ignore the outbound monitoring by a firewall? Add another security app? Like what in this case?</p></blockquote><p></p>
[QUOTE="HarborFront, post: 859871, member: 55987"] I found an interesting case on the net. It was in the year 2009. I have to assume the case is true. Read here [URL unfurl="true"]https://www.dslreports.com/forum/r22677694-Trojan-checks-for-SandBoxIE-presence[/URL] Apparently, the user ran SandboxieIE inside VMWare but the malware does nothing. Ran outside SB/VM and the trojan came alive. Likely to be a VM/SB-evading malware. NOD32 also detects nothing when the malware was ran outside the VM/SB environment. To conclude In that year in 2009 SB/VM likely not very robust/secure and the trojan signature wasn't updated in NOD32. What’s the damage done? Apparently, some privacy info being stolen and files being uploaded to ftp server Quote from the link Tuulilapsi Member 2009-Jul-9 9:56 am Sounds like the kind of simple and to the point malware that will fool quite a lot of people. Perhaps this is a nice case example of how software firewall outbound monitoring can sometimes be of quite a lot of use. I would expect that even many of the gullible folks would get suspicious if their firewall tells them that the archive file they just executed wants to connect to an FTP! Unquote A malware defeating a sandbox, a VM and an AV. Do you think outbound monitoring by a firewall will help in this case? Can firewall prevent privacy info being exfiltrated? How to prevent a malware from defeating 3 security apps (a sandbox, a VM and an AV/AM) in today's context say just ignore the outbound monitoring by a firewall? Add another security app? Like what in this case? [/QUOTE]
Insert quotes…
Verification
Post reply
Top