Studying Malware in a Virtual Machine - Dangers, Precautions

He must be talking about theoretical exploits which cause buffer overflows on kernel mode drivers which can cause privilege escalations(EOP) defeating any type of sandboxes or limited privileges.

EOT fonts vulnerabilities(already patched) which can be exploited remotely is one of these types.

Tzuk himself admitted that Sandboxie or any other security is vulnerable from such theoretical kernel exploits... http://www.sandboxie.com/phpbb/viewtopic.php?t=8198

Don't know any malware in the wild that uses such kernel exploits. Stuxnet used two privilege escalation exploits but the attacker has to gain local access first so any AE/HIPS/AL/SRP(dll aware) could easily catch the initial attack(lnk vulnerability).

 

@trismegistos:

tnx for the heads up mate.

like i said earlier, there is a wide gap between possible and likely.
i guess anything is possible, in theory land...

 

I know that a good hacker/writer can create a program to bypass just about anything. Is it likely that I'm going to find it roaming around the net? I think not. Thats why I layer things. If someone really wants to hack my system, they're going to do it. Nothing much I'm going to do about it. I'm not naive and think that sandboxie is the ultimate in security. To come on here and say that your doomed and some malware is going to bypass your security, is kind of baiting.

 

Just because something is PoC does not mean that it has not or is not being used in the wild. Theory can only take you so far, the proof is in the pudding, as the saying goes.

 

Most likely have been used in targeted attacks. We don't know how many zero day undisclosed backdoor(?) kernel exploits, state-sponsored hackers have up on their sleeves.

Malware writers targeting the masses don't need any esoteric exploit/POC as there are so many low hanging fruit vulnerabilities.

 

Nah, it's so much worse than you imagine. No 0-day needed, it would be classified as a "persistent threat" because it uses signed and certified *extremely* popular kernel drivers in their normal operational condition.

If enough people cry for it, we'll release a video of it after we're done with Safehouse.

 

No offense, but this type of reply sort of ~ Snipped as per TOS ~ (enough to register after being a long time lurker).

If you know of some sort of bypass to a security product (or in this case multiple operating systems), then you are ethically bound to

1) Inform the software developers and their respective companies of this flaw
2) Inform everyone else after the people in #1 have had time to work on a fix

Not only that, but to make the nebulous claim that you know of a vulnerability that works on various operating systems and will bypass any virtualization software is a little hard to believe. I believe the saying goes "extraordinary claims require extraordinary evidence".

If you are going to say things like that, you better be able to provide a PoC, otherwise it just sounds like fear mongering and ~ Snipped as per TOS ~.

 

hpmnick,

In this particular case, it doesn't seem likely that the problem can be "fixed" by traditional methods, as the vulnerability exists in the trust model of the OS, not in the applications themselves.

I informed Tzuk about the flaw of Sandboxie in June 2010, particularly: encouraging users to engage in unsafe behaviors with a false sense of security. He didn't seem concerned.

We knew the flaw was there, we just needed to prove it, so that Saturday we decided to have some fun. Initially, proving the flaw was troublesome because Sandboxie had most of its bases covered with simple breakout attacks. But we were getting closer. Then a horrific inspiration came.

Proof of concept code followed, and about 2 hours later, we tried it out. It worked. Not only did it work, it was devastating. After breaking out of Sandboxie, it ripped through all the antivirus and security software, and then the entire OS itself resulting in an unrecoverable system destruction in about 2 minutes.

It was like bringing a neutron bomb to a knife fight.

I personally like the idea of full disclosure rather than forgiveness because it eliminates marketing hype and separates strong security designs from weak ones. However, this type of software is extremely caustic to digital environments, so we've been wary of releasing it. Realize, we did this from a single web application, inside a Sandboxied browser, and it destroyed the whole OS. However, again, after we get done with our Safehouse privacy platform project, I would like to at least release a video if not full code.

 

Just sheer curiosity; who was 'we'?
You and other XeroBank staff/colleagues or also other 'contributors'?

Any ETA on Safehouse and the (perhaps) ensuing POC-video?
You previously mentioned a POC which was OS-agnostic (worked on MS-OS, MAC and nix). Is this still the same POC as the one you referred to earlier?

 

Moderators: I suggest asking nicely to SteveTX the POC so you can verify that what he says is true. If it´s, that´s fine and he has all my respect, but if it´s not true or he doesn´t want to share the POC I suggest a ban for him.

My 2 cents.

 

My apologies, I do not have permission to identify any others involved except myself.

Safehouse, a secure virtualized OS and free vpn client, should enter a private Windows beta beginning of April. Linux and mac are taking longer because we used some binary executables in the Host OS client controller to get it working on windows (OS priority).


For the counter-sandboxie PoC video, we first tried creating it with screen capture and that ended up getting eaten. We next tried exporting the display over vnc but that didn't work for showing the boot/reboot processes/dead OS. I think we'll have to record it physically.

Yes.

Correction to previous post: I just looked at the old PoC code to check the dates. This was April 2009, not June 2010.

 

@ SteveTX

would you be inclined to share the POC with some people here at Wilders?
if not, why?
those are fair questions i think.

a video would be nice, although the POC even nicer, but i hope we won't have to wait 3-4 months to see a closure to this matter.

 

Moontan,

I would very much like to share the PoC code. We "shelfed" it upon the recommendation of a party with whom we were doing responsible disclosure with. Normally we don't shelf such interesting things, but this was a special case because it was so caustic and not a primary concern.

However, I do think it has been shelfed a reasonable amount of time and we could at least release a video when we get time to dust it off. I would be interested to see how it works two years later, and if any of the affected vendors have found a solution.

 

fair enough.

please keep us posted when you have the time.

 

Hi Steve, is Safehouse supposed to be the ultimate bunker to protect against this shelved ace of all aces of cyberweaponary The custommade malware that bypasses all VMs on all OS's The way I see it, is that you are a product marketer who enjoys going around, mudslinging much superior and better known competitors.

Mods please close this thread and do not condone such devious practices that could turn the forum into something its not.

What kind of security researchers refuse to identify themselves? Those who work on the black market?

When people ask where is your proof you tell em its 'shelved', and for how long? Two years!!. Things don't look too true coming out from your mouth buddy. In proof we trust, either show some or get out.

A caustic POC is malware in my book. A normal POC doesn't do damage, but launches calc.exe outside of a sandbox for example. This excuse is a very poor one to stall anyone asking for code to prove your "point".

 

You're flying off the handle. This is a thread about studying malware in virtualized environments. We've got a PoC that breaks out of virtualized environments in a rather bad way that causes serious damage to the host machine. Safehouse isn't a competitor for Sandboxie, it is the project we're working on currently, for which after we're done, I can devote some time back to the PoC. Read the thread, stay on topic.

More wild speculation. I told you I don't have permission to release the identity of anyone else involved, and I respect their privacy. If they want to identify themselves, it is their prerogative, not mine.

Restrain yourself. It isn't just sandboxie. It is McAfee, Symantec, and more. Making enemies of every major security software vendor and releasing a new type of cross-OS malware into the wild isn't exactly something I'm keen on.

This particular PoC has capabilities beyond file execution. Bringing up calc outside of the sandbox was trivial. The easiest way to discover its full capability was to see if it could obliterate the disk, and it did.

This isn't a whitepaper, it was an impromptu afternoon experiment session where we struck gold a couple years ago. I'm here telling you that virtualized environments aren't safe for malware testing and relating my experience.

In exchange I have internet personalities trying to jump down my throat for just talking about it, who now think they are entitled to sourcecode and some detailed exhibition on demand by the mere mention of it.

Luckily we still have the horrific code, and as I've said, I'll dust it off after we're done with the current project on our plate and show it to Wilders.

 

Can you put a timeframe on that, Steve? I think it would help the situation here. (I'll also put the date in my diary...)

This 2009 thread degenerated into the same discussion (accusations): https://www.wilderssecurity.com/showthread.php?t=234845

 

We should be through the majority of the quality assurance work on Safehouse at the end of April, if I don't get to it sooner.

 

I didn't mention Sandboxie in my post, but VM's in general. This statement implies that this is the specific product that you are implicating all along. You are the one who diverted attention from the orignal question of whether malware testing in something like Vbox was reliable or not, into an elaborate attack on Sandboxie and a personal attack on Tzuk's integrity. Post #33 of this topic says it all.

Whether you have the permission or not is not at debate here. But such behavior is suspicious and rather unusual. It speaks volumes of the intentions of such people.

Avoid making enemies? I think this ship has long sailed, as you constantly accuse security vendors of knowingly not taking action to protect their users against your imaginary super malware that no one out there could conjure. Disclosure of actual vulnerabilities helps developers who appreciate the heads up. However pointing and saying that their products have 'holes' with no evidence won't earn you any respect. I am not the one who needs restraint, its you who's making the basless accusations that should be restrained:

You're not so special that everyone is chasing you trying to find out what you have up your sleeve. But your actions are an annoyance, that provoke rebuttals due to your smearing campaigns. That statement about the source code implies hypocrisy on your part, as you saw that you were entitled to Sandboxie's SC to prove its adequacy as per your request in this thread: https://www.wilderssecurity.com/showthread.php?t=234845

Until you produce samples no one with any sense of logic should believe you.

-bolding my emphasis-

Well, thats 'if' and its a big 'IF' you even possess it. From your demeanor, I doubt that you would ever reveal such code to do the right and ethical thing, thats providing of course,it exists at all. Why should you share it with security enthusiatst and vendors for free when you label it as 'gold' and that you are 'lucky' to have it. It should fetch a nice return on the black market or by selling it to the NSA's cyberweapons library instead; where you can be appreciated and paid for all that 'hard work'.

Not one word I have uttered here is unjustified or directed as a personal attack, as I don't resort to such tactics. Can't say the same about your attitude towards other products and developers however.
I, as many others, am highlighting the holes in your logic and the cloud of pure speculation you have brought here in this topic. First you see find a product thats popular and rock solid from the testing experience of numerous professional programers and security testers. Then you derive great happiness from being a provocatuer by saying its a paper tiger.

I won't waste anymore time responding to your cyclic argument that lacks evidence of VM's not being safe; Why are they not safe? Well because Steve says so. What makes him say that? Well its because of his supernatural POC payload that can penetrate all things in existence. Where is it? Its top secret you'll have to wait another 2 years. So until then I could use VMs for testing malware? No. Steve sees that VMs are not safe. Why are they not safe? Well because Steve says so ...
FULL CIRCLE ACHIEVED

I find it a laughable debate so far, filled with wild conjectures and no facts. Good luck Steve.

My predicition as a Mod's closing post coming soon to this thread: https://www.wilderssecurity.com/showpost.php?p=1417608&postcount=85

 

After reading through this a bit, I have some things to say.

@Steve: Honestly, after being here at this forum as long as you have, and after having been through these verbal beatdowns numerous times before, should know better than to bring up POCs you have that you aren't ready to disclose yet. You know how people here get, if you claim you can punch a hole through a half-worshiped vendor, you're gonna start seeing pitchforks and torches. If you especially aren't ready to prove said claim to the point no one can argue, then God help you. That being said, I have had my doubts about you and your company at times. My curiosity is sparked when you mention researchers that refuse to be identified. To me, that makes me wonder who these people are, and, perhaps more, who they work for. Being quiet for the sake of sensitivity is one thing, but this is evidently just a POC? It's either a load of BS, or it's capable of turning the security world upside down. I won't say it's either one, because I simply have no way of knowing, yet.

@The rest of you, calm down. Stop acting like parents whose kids were bullied. Yeah, Steve is capable of turning the heat up with some of what he says, but perhaps he might know slightly more than some of the armchair security experts that seem to be in number here. You're not entitled to anything from him or anyone else. If you are a customer of his, using his products, then you have some right to know if something is wrong with his company/product. That's where your right ends. If he's a responsible person, then these vendors are going to know about whatever POC this is, if they don't already Which, as stated by him, one already does. If he or whoever he is working with hides it from these affected vendors, never letting them know, then he deserves every pitchfork and torch he gets. At that point, trust in him and his company should cease to exist.

@Steve: Again, you put yourself on the line when you speak of these things. I have concerns, but I've no reason to deem you to be a liar. But, having dealt with issues of sensitivity and secrecy myself, you learn that if you aren't prepared to talk about something, you simply don't talk. At least not to those who aren't on the "need to know" list.

 

I have searched and searched online and different resources for POC of malware that bypasses virtual machines. I have yet to find any. I know some malware can be VM-aware and not execute properly but thats it. If you indeed have a POC of VM being bypassed that would be pretty big revelation. Im sure its possible you indeed do but at the same time I have my doubts because if it existed Im sure someone else would have already released a POC.

 

Did you search here? Because there are threads here about bypasses in products like Returnil, Sandboxie and a few others.

 

This entire subforum is entitled "sandboxing and virtualization", so clearly there is some inherent confusion that will occur, as many people around here seem to use the term interchangably. Let me be clear: I am saying 1) running malware in sandboxes is definitely a bad move, in specific Sandboxie by my experience, and 2) Running malware in unprotected virtual machines is a bad idea in general.

The PoC we made executed a breakout of a Sandboxied browser, and leveraged a simple VM payload that destroyed the disk. If one were to chain the payload to a VM breakout attack instead, the result would also destroy a Mac/Linux/Windows OS as well.

If you've never heard of these types of attacks, I can understand your skepticism. However, I assure you it is just the forefront of the war against malware. For those of you doubters, you don't have to wait for the video or even take my word for it, these issues are already documented elsewhere:

0) the existence of sandbox/vm-aware malware
1) the existence of sandbox breakout attacks
2) the existence of virtualization breakout attacks and ultimately,
3) the existence of these chained into VM malware

dw426,

You are right. I can't help but notice the more information I give out about the attack, the more upset people seem to be getting. Many folks have a hard time dealing with curiosity, but I don't think the response should be to attack the speaker. These aren't extraordinary claims to anyone who is actually in the infosec world, why am I the first to mention it on a security forum?

 

That's pretty much it. Around here, saying something can happen or is happening, without discussing it in detail and providing hard proof, is asking to get your butt verbally handed to you on a platter with a fork and napkin. As I pointed out in an earlier post, these attacks have already happened, and they are not only documented here in these forums (does anyone search anymore?), but elsewhere. Some act like malware authors aren't aware of Sandboxie and others. I adore Sandboxie, for instance, I think, properly configured, it can be a tremendous asset to security. But I certainly don't think it foolproof, or that its creator is some god-like genius incapable of mistakes. Without seeing one single instance of compromising these types of protection, I know full well they aren't invulnerable.

Again, if you're not prepared to give out specifics yet (believe me, I'm well aware of how difficult it is to deal with sensitive information, and, which might be the case with you or might not, to have all the red tape to deal with too), then it's best to not even bring it up. If you've done what you can by informing those who do need to know, when you could, and they blew you off, then there isn't much you can do. If that's also the case, then the messenger is being shot here. Which, of course isn't fair, but hey, pretty much goes with the territory.

I too am interested in knowing if this evidently deadly little beaut can get past default-deny as well. My guess would be no, but, you're the one with the POC.