Can malware leak through sandbox, virtual machines and non executable archives?

Bryan Lam

Level 3
Verified
Well-known
Apr 19, 2015
130
It depends on the situation and malware in question. There are certain crypters which are developed to bypass programs such as Sandboxie and VMware/VirtualBox. Most of these are obsolete or extremely rare though. Non-Executable archives won't 'leak' malware. Although, file name extensions being spoofed is certainly a possibility.
 
Last edited:

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
Hackers are writing new code everyday and finding new ways to exploit the system, there have definitely been successful attempts in bypassing sandboxes and VMs although with those methods, patches are often uploaded by the sandbox and VM providers immediately.

But you never know if they've found a new way to exploit them until the malware lands in the hands of researchers or AV vendors. So tread carefully if you want to test malware, but if you are just browsing the web with a VM I doubt you'll be that unlucky to run into a malware that would be able to escape the sandbox or VM.
 

S3cur1ty 3nthu5145t

Level 6
Verified
May 22, 2017
251
Exploits via memory or it gaining access to the network would be the two places you would want to watch and protect when executing and running malware inside a Virtual Machine.

This will also depend on how you set up your VM as well. If it is fully isolated from the Host by disabling drag and drop ect, if your running NAT or Briged, or Host Only network, if you install the VM tools ect.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
Mainly about sandbox leak I got a few actual news of real impact ( but this doesn't mean it is not happened ) but if we consider drivers and application, we know there are some ways to communicate with applications, services or drivers in sandbox/host context.

Basically drivers and applications should be crafted so that the application send an output to the driver and the driver hold (pend) that request until it needs it. This achieve the possibility that a driver sends a request to a application even if the request is not really "driver initiated".

Of course this could be a very difficult task in malware/sandboxing context because it would possibly require a lot of synchronization mechanisms to keep pending request.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top