Cch123

Level 7
Verified
Found the sample: It is a worm called Safesys. The worm can operate at ring0 and writes to the disk directly by communicating with the atapi.sys driver. In the test Shadow Defender 1.2.0.346 and sandboxie 3.x managed to stop the worm from persisting. However, similar softwares, Comodo time machine 2.8 and Deep freeze 7 failed to stop it from persisting on the system. Sandboxie stopped the attack because it prevented the malware driver from loading in the first place. Not sure about the internal workings of SD, but I would expect the same.
 

frogboy

Level 75
Verified
Trusted
Found the sample: It is a worm called Safesys. The worm can operate at ring0 and writes to the disk directly by communicating with the atapi.sys driver. In the test Shadow Defender 1.2.0.346 and sandboxie 3.x managed to stop the worm from persisting. However, similar softwares, Comodo time machine 2.8 and Deep freeze 7 failed to stop it from persisting on the system. Sandboxie stopped the attack because it prevented the malware driver from loading in the first place. Not sure about the internal workings of SD, but I would expect the same.
Well done for finding this.
 
  • Like
Reactions: LabZero
H

hjlbx

Found the sample: It is a worm called Safesys. The worm can operate at ring0 and writes to the disk directly by communicating with the atapi.sys driver.

Not sure about the internal workings of SD, but I would expect the same.
Shadow Defender fully virtualizes partition 0 (MBR). :D
 

cruelsister

Level 36
Verified
Trusted
Content Creator
The major issue with VirtualBox and anti-sandbox malware is not so much that the malware is going to rip down barriers while trojan testing but instead fooling the user who is testing an application within VirtualBox into thinking that it is safe (and thus can be transferred to a production system).

Checking to see if malware is running specifically within VirtualBox varies with the malware type. Things like RebHip (most commonly a keylogger) with poll running processes for VBoxService.exe (which is installed with Guest Additions- not a really good idea to do, btw), whereas other malware will encode legitimate analysis tools in order to check for "tells" of a VM being present. If you would like to see for yourself what the malware checks on in its quest to evade VM's, try Paranoid Fish which can be found here:
https://github.com/a0rtega/pafish/raw/master/pafish.exe
https://github.com/a0rtega/pafish/raw/master/pafish.exe

Open up your VirtualBox setup and run the file- it is totally legitimate and quite safe.
 
  • Like
Reactions: Moose