Malware and VM question.

Cch123

Level 7
Verified
May 6, 2014
335
Found the sample: It is a worm called Safesys. The worm can operate at ring0 and writes to the disk directly by communicating with the atapi.sys driver. In the test Shadow Defender 1.2.0.346 and sandboxie 3.x managed to stop the worm from persisting. However, similar softwares, Comodo time machine 2.8 and Deep freeze 7 failed to stop it from persisting on the system. Sandboxie stopped the attack because it prevented the malware driver from loading in the first place. Not sure about the internal workings of SD, but I would expect the same.
 

frogboy

In memoriam 1961-2018
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
Found the sample: It is a worm called Safesys. The worm can operate at ring0 and writes to the disk directly by communicating with the atapi.sys driver. In the test Shadow Defender 1.2.0.346 and sandboxie 3.x managed to stop the worm from persisting. However, similar softwares, Comodo time machine 2.8 and Deep freeze 7 failed to stop it from persisting on the system. Sandboxie stopped the attack because it prevented the malware driver from loading in the first place. Not sure about the internal workings of SD, but I would expect the same.
Well done for finding this.
 
  • Like
Reactions: LabZero
H

hjlbx

Thread author
Found the sample: It is a worm called Safesys. The worm can operate at ring0 and writes to the disk directly by communicating with the atapi.sys driver.

Not sure about the internal workings of SD, but I would expect the same.

Shadow Defender fully virtualizes partition 0 (MBR). :D
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
The major issue with VirtualBox and anti-sandbox malware is not so much that the malware is going to rip down barriers while trojan testing but instead fooling the user who is testing an application within VirtualBox into thinking that it is safe (and thus can be transferred to a production system).

Checking to see if malware is running specifically within VirtualBox varies with the malware type. Things like RebHip (most commonly a keylogger) with poll running processes for VBoxService.exe (which is installed with Guest Additions- not a really good idea to do, btw), whereas other malware will encode legitimate analysis tools in order to check for "tells" of a VM being present. If you would like to see for yourself what the malware checks on in its quest to evade VM's, try Paranoid Fish which can be found here:
https://github.com/a0rtega/pafish/raw/master/pafish.exe
https://github.com/a0rtega/pafish/raw/master/pafish.exe

Open up your VirtualBox setup and run the file- it is totally legitimate and quite safe.
 
  • Like
Reactions: Moose

Cch123

Level 7
Verified
May 6, 2014
335
Replying to hjlbx,
Don't tell me you thought ring0 was the MBR? ring0 is the kernel level.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top