About the Prueba/Bifrose Trojan

[Rasheed187]

Well, I just don´t think it´s likely that all of a sudden my other security tools or system configuration is causing this problem, I mean it never happened before? And besides, this new "SafeSpace" tool was not bypassed, on a virtual machine which I experimented quite a lot on. Another thing, my HIPS do notify me about suspicious behavior, if I block it nothing happens, if I allow it, SBIE can´t stop this trojan. And last but not least, I´m not the only one who expercienced it. I think it´s a serious bug in SBIE.

Also, I noticed that this prueba trojan is protected by Thermida, perhaps this has something to do with it? And isn´t it true that some malware can behave differently on each system, depending on certain criteria? For example, if malware detects that it´s running in a virtual machine, it will terminate itself, or it will only work in a certain time frame.

[Rasheed187]

Rasheed187, you mentioned a few times you use virtual machines. Would you test the trojan in a fresh VM that runs only Windows and Sandboxie?

Good idea, I will try to do this.

Sandboxie doesn't block operations initiated by kernel mode component, because you never know what system instabilities that might introduce. And besides, if you can't trust kernel mode components, you're already in trouble.

But the thing is, SBIE should stop all dangerous behavior which could cause malware to do whatever it likes, outside the sandbox, not?

[tzuk]

Turns out this was a conflict between SSM and Sandboxie on some minor point, which happened to enable the Prueba virus/trojan to work.

This explains why Rasheed187, who uses both products together, was about the only person in the world to experience the problem.

Fixed in version 3.00.15.

[SnDPhoenix]

Hell yeah, i was correct from the beginning. I knew it had to be something installed on their pc that was allowing the virus to escape, good job finding out what program it was tzuk. Now we should finally be able to let this "Prueba virus" issue lay to rest.

[Unknown_User_520]

Thanks for clearing this up, Tzuk. It is a well known cliche that a security soft is only as good as its support, which is why Sandboxie is one of the best. And to all the doubters it is a pleasure to say:

[Rasheed187]

Very cool tzuk , may I ask how you figured this out? I´ve quickly tested it with the new version and now Prueba terminates itself, it can´t break out of the sandbox anymore. Btw, would be cool if you could also figure out why with the registry monitor enabled in SSM, my system crashes when I sandbox a tool.

But anyway, this is another proof that combining security tools can cause serious security holes, not real happy about this. And to be honest, I think I have seen this behavior on machines were SSM wasn´t even installed, but I will need to test this a bit more.

[tzuk]

I figured this out by installing SSM and then I ran the trojan sandboxed. Thanks for taking the time to confirm the problem has been fixed.

[Rasheed187]

And btw, this Bifrose trojan isn´t really that dangerous but I wonder if SBIE could protect against rootkits who use the same technique, you might want to check out this thread (SBIE still needs to be tested, you might want to contact NicM):

http://www.wilderssecurity.com/showthread.php?t=180969

Btw tzuk, did you contact NicM, any news on this? Because quite a lot of HIPS were bypassed by these kind of rootkits. Also, it looks like this fix has solved my other strange problem with SSM, finally they seem to be working together with no strange conflicts (so I can now turn on my registry monitor again), very exciting!

[tzuk]

I haven't contacted NicM so there aren't any news. Glad everything is A-OK for you now.