FLAME Virus

[Lode]

Hi!
Reading about the latest most sophisticated virus ever detected so far -the "Flame" virus, also called “SkyWiper”, I wonder if such malware could be installed while one is running the browser and email client sandboxed. And if programs applying HIPS would detect it, and prevent it from installing without one's permission.

I'm just a regular home user, of no interest to the source (Israel?) of this super spyware. But just out of curiosity...

Here is the most complete up to date info on this issue: http://www.securelist.com/en/blog/20819 ... nd_Answers

[tonyseeking]

Hi!
Reading about the latest most sophisticated virus ever detected so far -the "Flame" virus, also called “SkyWiper”, I wonder if such malware could be installed while one is running the browser and email client sandboxed. And if programs applying HIPS would detect it, and prevent it from installing without one's permission.

I'm just a regular home user, of no interest to the source (Israel?) of this super spyware. But just out of curiosity...

Here is the most complete up to date info on this issue: http://www.securelist.com/en/blog/20819 ... nd_Answers

Trust No Program, not even SBIE 100%. Remember, nothing is perfect, even though SBIE comes close

[Lode]

You're right about sandboxing not being 100 % safe. It doesn't protect against spying, unless one knows how to set it up in in such a way that the items one wants to protect from that are made immune to it. At least that is what I understand from reading about this on another thread.
And if I remember well Tzuk has said that even some stuff gets trough sometimes and is installed anyway, but that this happens seldom, and that he finds a patches for those sporadic occasions.

Still Sandboxie is an excellent protection against malware programs installing, although a sophisticated team like the Flame writers could probably find a way.

So then I still wonder about HIPS. I thought it would monitor any changes made as far as installations are concerned, and then ask one for permission. I'm using the Online Armor firewall, and every time -it seems- I have anything new installed, it asks if I want that, and I see that the install stops, until I tell OA it's OK. But I don't know if that is HIPS. It doesn't look like it from this explanation:
"HIPS Explained": http://www.techsupportalert.com/content ... lained.htm

[lylejk]

Just finished a PM exchange with tzuk too on a similar theme. I received an email from a friend that I've not heard from in quite a while. I clicked on the link and it commenced to read my IE based Yahoo email bookmarks and sent out rogue emails. I killed the session and all's well (no local infection) except I had to contact the folks that received the rogue emails. Still weird that it was able to take over an online session to do this. There is no such thing as 100% protection and the person behind the keyboard has to be very careful now. I should have known better but got suckered anyway. Just be on your Ps and Qs.

[Lode]

I would react like this .

Then:

If on AC, immediately pull the plug out of my laptop. If on battery, immediately press down hardware "Off" button until system shuts down.
Start in Safe Mode (no Networking).
Scan with AV's.
Remove email.

Maybe use latest system backup from external hard drive in case I still had doubts.

[Guest10]

I clicked on the link and it commenced to read my IE based Yahoo email bookmarks and sent out rogue emails.

I'm thinking that maybe I should implement Start/Run Restrictions for my email sandbox, like I do in 2 Firefox sandboxes.
That might prevent this type of thing from happening.
My email program already prohibits any javascript routine in an email from running. Plus, I don't install java.

It's a bit of a hassle to set up Start/Run, for a short time, but it may be worth it. The number of programs that need to run using that sandbox is probably pretty low.

[lylejk]

The thing is I'm not using an email program; I'm using IE web browser. It actually read my email bookmarks in Yahoo Mail which uses, I believe, AJAX. I'm no programmer and God only knows why I remembered this. lol

Scary that someone figured out how to attack a browser based email system. Guess I'm behind the times since I think this is new and probably isn't. lol

[ssj100]

The thing is I'm not using an email program; I'm using IE web browser. It actually read my email bookmarks in Yahoo Mail which uses, I believe, AJAX. I'm no programmer and God only knows why I remembered this. lol

Scary that someone figured out how to attack a browser based email system. Guess I'm behind the times since I think this is new and probably isn't. lol

I've vaguely heard about attacks like that, but I'm a little surprised that it actually does occur in-the-wild. Come to think about it, I've been sent many similar e-mails from "friends that I hadn't heard from for a long time" and I would open the e-mail and see some random writing and a (suspicious) link or two. My habit has always been to immediately delete the e-mail. However, I always think to myself that Sandboxie + LUA + SRP would contain/block any malicious events even if I were to click on the link(s). Now, it appears that this is not really the case, and really emphasises the importance of security awareness - you need a good security "approach", not just a good security "setup" (my favourite mantra haha).

[Peter2150]

One thing folks need to remember. SBIE contains mailware, it doesn't prevent it from running.

A while back I was playing with some virus, and when run it would take over the screen flashing all kinds of stuff, couldn't get to the taskbar, or anything short of a power reset. Then it owned the system.

Running it sandboxed, produced all the same stuff with one key exception. Once rebooted the system was clean.

But I also back up my installation with Appguard, and OA.

Pete

[ssj100]

But I also back up my installation with Appguard, and OA.

I think the point lylejk was making is that programs like Appguard and OA would not prevent online malware reading web-based e-mail bookmarks and sending out rogue e-mails. In fact, I can't think of anything that can stop this, apart from not clicking on the malicious link in the first place. But then again, I'm sure the malware could be programmed so that you wouldn't even need to click on the link, but would simply need to open the e-mail.

[lylejk]

ssj100 is right; there is no way to stop a virus that can work inside the sandbox itself. I was an idiot (remedied it quickly by killing my XP VM session itself then afterwards, changed my passwords) and it did send out about 10 emails using my online Yahoo email. I had no idea that they could do this but I now know they can. Fortunately, it's been years since I updated my online email bookmarks and only around 5 folk actually received rogues and did manage to contact them (nice to have an email exchange with a few of them since it's been literally years for some of them). Be leary about links within email addresses for sure, but if you are still logged into Yahoo, any online link may be able to do this (hope not; hope it can only work within an AJAX email session) but it was an eye opener for someone who shouldn't be surprised (that would be me).

[ssj100]

ssj100 is right; there is no way to stop a virus that can work inside the sandbox itself.

Perhaps a more accurate way of putting it is that there is no way to stop a virus that can work inside the sandbox and only uses the online web interface to perform its malicious activity. This makes me wonder whether the virus even needs to write to disk?

Sandboxie would still be able to contain it, but it wouldn't be able to stop it from running.