Attacking Sandboxes

SkiifGeek writes "Many anti-malware applications use a sandbox as a tool to help identify potentially malicious software. Now knowledge is spreading about techniques and methods that can allow sandboxed software to target the sandbox itself (and by extension the application that applied it). While attacks that specifically target sandboxing applications are probably a little way off, this technology can be considered the logical extension of techniques and procedures to identify the presence of hosted systems (VMWare, Virtual PC, etc.)."

Enter the Sandbox

So when will we be able to attack the Matrix?

Sandbox the sandbox

That's ok. We can just sandbox the sandbox and still be safe.

Re:Sandbox the sandbox

But who will sandbox the sandboxers?

Re:Sandbox the sandbox

HA! I got you on that one!!! It's sandboxes all the way down!!!!!

Love this -- like the turtles....

Just remember....recursive code is great code, because its recursive, so its great.

Re:Love this -- like the turtles....

Just remember....recursive code is great code, because its recursive, so its great.

Well I'd just like to point out thaStack overflow
Aborted

Re:Sandbox the sandbox

You know, this was marked as Funny but I wouldn't be surprised if this was suggested as a solution at some point. "Hell, just wrap it in another (insecure) layer and it'll be fine."

Re:Sandbox the sandbox

Sounds like the security methods most online banking systems use. Here's the current layers:

• password
• mother's maiden name/ what's you're favourite movie
• secret picture
• randomized keypad for entiring password

It's all layers of useless crap piled on top of eachother which doesn't stop the real problem of people falling for stupid fishing sites, and entering a password in a site that looks like their bank's. If they really wanted to add real security they'd hand out RSA key fobs to everyone instead of adding layers of stuff that makes it look more secure but actually isn't.

Re:Sandbox the sandbox

as long as USERS don't understand it, yes it is useless. Secure the communication and provide X509 certs all you want, if the user think it's a bank, he will enter his password.

Serves us right

for building a box out of sand. what were we thinking?

Old news

Theres a simple detection program called RedPill that probes a simple method to do so, vmware leaves a lot of registry keys on windows, VirtualBox lacks supports for hardware breakpoints, cpu cycles counts is another way to detect virtualization, and some packed malware dont even run on virtual machines because of memory management, software packed with armadillo do not run on vbox and it used to fail on vmware player until they fixed that bug.

"Thwarting Virtual Machine Detection" is a nice paper on virtual machine detection.

Strike vs Counterstrike

There will never, ever be an end to this.

As long as people are imperfect (and they always will be) there will be measures, countermeasures, and counter-counter measures. New techniques will make old ones obsolete, and even newer techniques will make the once-new techniques no longer apply.

With this understanding, any technology that can outsurvive more than one or two iterations of other products in the same field becomes "venerable" and "stable".

Which makes now a particularly good time to appreciate the guys who worked out the spec for TCP/IP some 30 (?) years ago. Despite going from mainframes, to minis, to PCs, and now on to the era of ubiquitous computing, the basic concepts and ideas behind the TCP/IP specification continue to hold steady and useful. They managed to come up with a technology, that whatever flaws have actually been found, hasn't come up against any real show-stoppers. None.

To which I can only say: WOW.

Re:Strike vs Counterstrike

TCP hijacking is almost just as easy now as it was 10 years ago.

It may be even easier. Who cares? However you look at it, TCP is doing its job. If you want to prevent against hijacking, the layered topology of the communication stack lets you prevent that at a higher level. (EG: Using encryption - which can be interrupted, but not hijacked)

TCP hijacking is merely a side effect of a missing layer in the stack of your application.

Once again, they didn't read the article.

The article didn't say that they've found code that attacks sandboxes, it said that they've found code that detects a sandbox (VMWare for instance) and plays innocent so as to avoid detection through the sandbox.

It also said that software has been found that detects when it's attached to a debugger. Big deal, copy protection schemes have been doing that for decades.

The article then goes on to FUD that code that attacks the sand box "must" be coming.

Oh, it must be coming. Uhuh.

Umm... yes? And?

That malware detects VMs is old news. I'd wager about 60% of current malware has VM detection built in. About as many have debugger detection. Some overlapping allowed.

So far, malware that "breaks out" of the sandbox would be new to me (though I'd be grateful for a sample). Though, seriously, why not run a VM with Windows (to analyze) on a box running Linux? I'd be very interested if someone manages to do the feat of creating a piece of malware that manages to break out of the sandbox and then run on a machine with a completely different operating system.

If you wanna throw another stick between the malware's feet, run the VM on a non-i386 architecture. If someone manages to break out of THAT and manages to hijack my machine, he really earned it and should get it.

This might be good for end-users

Stuff like this will make VMWare, Parallels, and others improve their product so it becomes difficult (if not impossible) to detect that the host is virtual.

By the same token, it suggests a new attack against malware.... find out what makes a piece of malware think it's running on a VM and then make a physical machine react the same way. The possibilities are endless here.

You Don't Even Need Special Code to Detect VMwa...

To detech VMware, it's almost trivial. VMware can be detected with a built-in backdoor. The backdoor is a configurable setting that's on a lot of times. Programs like VMware Tools use it to enhance KVM operations. An easier check would be to look on the system to see if your network driver is the VMware NIC drivers.

"Piercing the abstraction" as they call it in the business, however, is much more difficult especially on a VM running on top of VMware's ESX, which don't actually interact with the guest OS except via software that uses the backdoor. If it is turned off, VMware doesn't talk to the guest OS so I don't see an easy way of doing this. VMware works by intercepting special system calls and getting out of the way and allowing the VM to execute its code on the CPU itself.

Solutions like paravirtualization would be more susceptible to these attacks than a hypervisor like VMware.

Sand Toys

So the little tykes are refusing to play nice in the sand box, so add some sand toys. I always wanted one of those little shovel things.

Question to those who sandbox

Malware's built-in detection makes hell of the casual e-sleuth's investigation techniques, and there seems only one sure-fire way to make sure malware behaves as you wish; keep it on a real system. I'm mostly speaking of network-oriented malware (ie: botnet clients), where you don't really care so much about what goes on with the infected system, so much as what occurs during the control/attack phase.

So, does anyone know of a particularly home-friendly way to handle a real-hardware box? I'm not sure of the best way to do this, but I assume it may simply require a CD/DVD that boots windows, instead of re-imaging the drive every time you want to test something new (which sounds quite...painful).

All I saw was...

Sandbox Sandbox Sandbox

Detecting virtualization?

Being able to detect virtualization would be great, if the technique can be generically applied [wikipedia.org].

There is no spoon [wikipedia.org]

Arms race for nothing

I've always said it, and I'll keep saying it until malware takes my baby away, but every time someone makes a smarter anti-virus, some teenager will create a better virus. It's the computer equivalent to pesticide: it kills one batch of bugs, but the next generation grows immune.

Meanwhile, I avoid ALL forms of anti-malware tools, and magically I rarely get infected. When I do, I notice pretty quickly because I actually pay attention to what my PC is doing. If a certain task (or game) is used to running smoothly, and all of a sudden it starts wigging out, I'll know something is up. It's not like malware has ever cared to be spartan when it comes to CPU and memory usage.

If McAfee could stop selling anti-virus software, and instead just sell a book or instructive video on how to not be stupid and how to not click on all those sexy ActiveX prompts, well first of all they'd go out of business because they're a sloppy ass company, but secondly maybe some people would actually develop the ability to not click everything under the sun.

As it stands, I am of ZERO value to malware authors because my PC doesn't get involved in their spam/botnets, nor do I spread the plague to my friends and coworkers. I'm also worth ZERO to the anti-virus companies. If more people could self-police their PC like me, it would put a dent in both the virus and anti-virus businesses and as a result, it would slow the evolution of malware.

If two kids are fighting over a silly toy, when you take away the toy, they find something else to occupy them. Virus authors are no different. Businesses are no different. Humankind as a whole is no different.

Re:Arms race for nothing

Meanwhile, I avoid ALL forms of anti-malware tools, and magically I rarely get infected. When I do

Isn't once enough for anyone? You did format and restore from a known good backup or install media afterwards didn't you? There's a tendency lately to trust that whoever had full control of your PC did nothing but run a set script and blindly hope that there is nothing else on there. I've played with various removal tools when people have given me compromised machines and different tools gave me different answers the other tools could not detect - perhaps there were some things neither could detect, hard to be sure especially when you are booting from a compromised system.

Fdisk it from orbit - it's the only way to be sure.

Re:Arms race for nothing

"Fdisk it from orbit - it's the only way to be sure."

Even Microsoft agrees with you. You can't "clean" a compromized machine.

http://www.microsoft.com/technet/community/columns /secmgmt/sm0504.mspx [microsoft.com]

That goes for other OSes too.

--
BMO

cat /dev/colon /proc/virtual/1

Ha!

I always know there are security problems with sandboxes - and all the cats on the world surely know how to break them:
cat /dev/colon >/proc/virtual/1

Centipedes?

In MY sandbox?

Re:Watch what I can do

I've got friends who know how to block your friend's actions.