About the Prueba/Bifrose Trojan
Moderator: Barb@Invincea
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
Well, I just don´t think it´s likely that all of a sudden my other security tools or system configuration is causing this problem, I mean it never happened before? And besides, this new "SafeSpace" tool was not bypassed, on a virtual machine which I experimented quite a lot on. Another thing, my HIPS do notify me about suspicious behavior, if I block it nothing happens, if I allow it, SBIE can´t stop this trojan. And last but not least, I´m not the only one who expercienced it. I think it´s a serious bug in SBIE.
Also, I noticed that this prueba trojan is protected by Thermida, perhaps this has something to do with it? And isn´t it true that some malware can behave differently on each system, depending on certain criteria? For example, if malware detects that it´s running in a virtual machine, it will terminate itself, or it will only work in a certain time frame.
Also, I noticed that this prueba trojan is protected by Thermida, perhaps this has something to do with it? And isn´t it true that some malware can behave differently on each system, depending on certain criteria? For example, if malware detects that it´s running in a virtual machine, it will terminate itself, or it will only work in a certain time frame.
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
Good idea, I will try to do this.Rasheed187, you mentioned a few times you use virtual machines. Would you test the trojan in a fresh VM that runs only Windows and Sandboxie?
But the thing is, SBIE should stop all dangerous behavior which could cause malware to do whatever it likes, outside the sandbox, not?Sandboxie doesn't block operations initiated by kernel mode component, because you never know what system instabilities that might introduce. And besides, if you can't trust kernel mode components, you're already in trouble.
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Hell yeah, i was correct from the beginning. I knew it had to be something installed on their pc that was allowing the virus to escape, good job finding out what program it was tzuk. Now we should finally be able to let this "Prueba virus" issue lay to rest.
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
-
- Posts: 0
- Joined: Wed Dec 31, 1969 7:00 pm
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
Very cool tzuk , may I ask how you figured this out? I´ve quickly tested it with the new version and now Prueba terminates itself, it can´t break out of the sandbox anymore. Btw, would be cool if you could also figure out why with the registry monitor enabled in SSM, my system crashes when I sandbox a tool.
But anyway, this is another proof that combining security tools can cause serious security holes, not real happy about this. And to be honest, I think I have seen this behavior on machines were SSM wasn´t even installed, but I will need to test this a bit more.
But anyway, this is another proof that combining security tools can cause serious security holes, not real happy about this. And to be honest, I think I have seen this behavior on machines were SSM wasn´t even installed, but I will need to test this a bit more.
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
Btw tzuk, did you contact NicM, any news on this? Because quite a lot of HIPS were bypassed by these kind of rootkits. Also, it looks like this fix has solved my other strange problem with SSM, finally they seem to be working together with no strange conflicts (so I can now turn on my registry monitor again), very exciting!And btw, this Bifrose trojan isn´t really that dangerous but I wonder if SBIE could protect against rootkits who use the same technique, you might want to check out this thread (SBIE still needs to be tested, you might want to contact NicM):
http://www.wilderssecurity.com/showthread.php?t=180969
Who is online
Users browsing this forum: No registered users and 1 guest