Sandboxie Isolation Demonstration: Cryptoplocker
Sandboxie Isolation Demonstration: Cryptoplocker
On the Sandboxie homepage there is a youtube video demonstrating the effectiveness of SB against cryptolocker https://www.youtube.com/watch?v=aMtyGNviiRY
I noticed in the video, and it's pointed out in the youtube comments, that at the 02:15 mark it shows the files that got encrypted by cryptolocker. One of those files was outside of the sandbox directory. The file is "Penguins.jpg" and it shows the location as C:\Users\Public\Pictures\Sample Pictures.
I'm curious how this file was able to get encrypted by cryptolocker. Did Sandboxie fail to fully protect the system? Was it some leftover file from testing? Anyone know?
			
									
									
						I noticed in the video, and it's pointed out in the youtube comments, that at the 02:15 mark it shows the files that got encrypted by cryptolocker. One of those files was outside of the sandbox directory. The file is "Penguins.jpg" and it shows the location as C:\Users\Public\Pictures\Sample Pictures.
I'm curious how this file was able to get encrypted by cryptolocker. Did Sandboxie fail to fully protect the system? Was it some leftover file from testing? Anyone know?
Re: Sandboxie Isolation Demonstration: Cryptoplocker
The malware was successfully contained but for some reason Sandboxie is not returning a fake path. The path that should be showing is the path to real system, like it does with "Penguins.jpg" file, but instead is showing the path inside sandbox folder.
I consider this a glitch that should be fixed. I already requested a feature to show fake path in other conditions too:
http://forums.sandboxie.com/phpBB3/view ... =4&t=18356
			
									
									
						I consider this a glitch that should be fixed. I already requested a feature to show fake path in other conditions too:
http://forums.sandboxie.com/phpBB3/view ... =4&t=18356
Re: Sandboxie Isolation Demonstration: Cryptoplocker
Why do you think it's a glitch? Cryptolocker was activated inside the sandbox so it will encrypt all the files inside the sandbox. The filepath is correct. The only thing is how did Penguins.jpg get encrypted outside the sandbox.
			
									
									
						Re: Sandboxie Isolation Demonstration: Cryptoplocker
Strange  ...
 ...
Even upon deletion the file path to sample picture is not included.
			
									
									 ...
 ...Even upon deletion the file path to sample picture is not included.
Regards,
Nix
Win7 Ultimate (x64)

						Nix
Win7 Ultimate (x64)

Re: Sandboxie Isolation Demonstration: Cryptoplocker
@ Curt: any comment about this?
			
									
									
						Re: Sandboxie Isolation Demonstration: Cryptoplocker
There are only three things I can think of... 
1) There was an Immediate recovery box, in which the user could have accidentally recovered a single file...
2) All of the other files were in his profile folder. Sandboxie has two sandbox folders, one for the user and one for the drive. The public user folder would have ended up in the drive sandbox, and the path could have been hidden.
3) The Public user folder was given full access?
			
									
									
						1) There was an Immediate recovery box, in which the user could have accidentally recovered a single file...
2) All of the other files were in his profile folder. Sandboxie has two sandbox folders, one for the user and one for the drive. The public user folder would have ended up in the drive sandbox, and the path could have been hidden.
3) The Public user folder was given full access?
Re: Sandboxie Isolation Demonstration: Cryptoplocker
Curt: Please don´t miss commenting on this thread, please.
			
									
									
						Re: Sandboxie Isolation Demonstration: Cryptoplocker
Anyone in Invincea care to comment on this...
			
									
									Regards,
Nix
Win7 Ultimate (x64)

						Nix
Win7 Ultimate (x64)

- 
				Curt@invincea
- Sandboxie Lead Developer 
- Posts: 1638
- Joined: Fri Jan 17, 2014 5:21 pm
- Contact:
Re: Sandboxie Isolation Demonstration: Cryptoplocker
I will look into this as soon as I have time.
			
									
									
						Re: Sandboxie Isolation Demonstration: Cryptoplocker
I think Buster, provided the best explanation so far. the sandbox applications, should not be able to see the real sandboxed locations of the files. sandboxie has the responsibility to intercept the api's being used to retrieve the files locations and adjust them. so the problem is not the application reporting Penguins.jpg file in "C:\Users\Public\Pictures\Sample Pictures", but rather every other single file, and the fact that the real location of the files, somehow leaked to the sandboxed program. Buster apparently has also identified the required api that needs to be intercepted to fix this. nice work  . it is important to note that this could be a potential problem for legitimate softwares as well. as if they use the same method that this malware uses to retrive the files locations, they might not be able to work properly in sandboxie.
 . it is important to note that this could be a potential problem for legitimate softwares as well. as if they use the same method that this malware uses to retrive the files locations, they might not be able to work properly in sandboxie.
I also gave the Cryptoplocker a try myself just to make sure. and was able to reproduce this exact behavior. Even tho i am unsure atm why only that single file's location (C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg) differs from others in the malware's list of affected files, i can confirm that nothing has leaked from the sandboxie. and the real jpg file is still intact.
			
									
									 . it is important to note that this could be a potential problem for legitimate softwares as well. as if they use the same method that this malware uses to retrive the files locations, they might not be able to work properly in sandboxie.
 . it is important to note that this could be a potential problem for legitimate softwares as well. as if they use the same method that this malware uses to retrive the files locations, they might not be able to work properly in sandboxie.I also gave the Cryptoplocker a try myself just to make sure. and was able to reproduce this exact behavior. Even tho i am unsure atm why only that single file's location (C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg) differs from others in the malware's list of affected files, i can confirm that nothing has leaked from the sandboxie. and the real jpg file is still intact.
Best Regards
Hamy
						Hamy
Re: Sandboxie Isolation Demonstration: Cryptoplocker
I also gave the Cryptoplocker a try myself just to make sure. and was able to reproduce this exact behavior. Even tho i am unsure atm why only that single file's location (C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg) differs from others in the malware's list of affected files, i can confirm that nothing has leaked from the sandboxie. and the real jpg file is still intact.
That's reassuring... but the bug still need to be fix!
Regards,
Nix
Win7 Ultimate (x64)

						Nix
Win7 Ultimate (x64)

Re: Sandboxie Isolation Demonstration: Cryptoplocker
Curt: Any update about this issue?
			
									
									
						- 
				Curt@invincea
- Sandboxie Lead Developer 
- Posts: 1638
- Joined: Fri Jan 17, 2014 5:21 pm
- Contact:
Re: Sandboxie Isolation Demonstration: Cryptoplocker
Buster and Hamy are correct.  A sandboxed app should not be able to see the "real", sandboxed path.  To Cryptolocker, they should all look like C:\Users\Public\Pictures\Sample Pictures\penguins.jpg.
This does not present any kind of a leak or hole. The sandboxed app cannot access the file outside the sandbox. The only issue here is that the sandboxed app can determine that it is inside a sandbox by looking at the file path. But there are many others ways to accomplish that goal already (that cannot be plugged). We will attend to these as soon as we can get to them.
			
									
									
						This does not present any kind of a leak or hole. The sandboxed app cannot access the file outside the sandbox. The only issue here is that the sandboxed app can determine that it is inside a sandbox by looking at the file path. But there are many others ways to accomplish that goal already (that cannot be plugged). We will attend to these as soon as we can get to them.
Re: Sandboxie Isolation Demonstration: Cryptoplocker
As Hamy pointed:Curt@invincea wrote:Buster and Hamy are correct. A sandboxed app should not be able to see the "real", sandboxed path. To Cryptolocker, they should all look like C:\Users\Public\Pictures\Sample Pictures\penguins.jpg.
This does not present any kind of a leak or hole. The sandboxed app cannot access the file outside the sandbox. The only issue here is that the sandboxed app can determine that it is inside a sandbox by looking at the file path. But there are many others ways to accomplish that goal already (that cannot be plugged). We will attend to these as soon as we can get to them.
it is important to fix this issue not just because an app can determine is being run sandboxed, but also because legitimate software may get confused.it is important to note that this could be a potential problem for legitimate softwares as well. as if they use the same method that this malware uses to retrive the files locations, they might not be able to work properly in sandboxie.
Re: Sandboxie Isolation Demonstration: Cryptoplocker
Curt: Do you know already why the malware is showing the path to sandbox?
			
									
									
						Who is online
Users browsing this forum: No registered users and 1 guest
