Sandboxie Isolation Demonstration: Cryptoplocker

[Curt@invincea]

We are unable to repro this in-house because CryptoLocker has evolved and we no longer have the original version used in the demo. But, we have been testing other APIs and I think I know what CryptoLocker was doing.

The issue here is that any app in the sandbox can see the actual sandbox folder if it traverses down the directory tree using FindFirstFile/FindNextFile.

E.g. if an app goes searching through the disk, they can go right into C:\Sandbox\admin\DefaultBox, and see everything that is in there. CryptoLocker goes through the entire HD looking for documents and pics. So eventually it will make its way into the real sandbox folder.

We could prevent this from happening by hooking FindFirstFile/FindNextFile, and blocking the app from seeing into the sandbox folder. But I am not sure how much effort this would require and it could easily be thwarted by unhooking. As it is now, it is harmless.

[Buster]

I understand what you mean. The malware starts at root of C drive and starts traversing all folders in hard disk. Then it shows all files being a pic or a document. Therefore the malware did not see sandbox folder but just found it.

If you find an easy method to implement which allows hiding sandbox container folder without creating incompatibilites then I would go for it. If not, just keep it as it is.

Thanks for taking care of the issue and finding out what was going on!

[Nix]

@Curt

Now that it's cleared, can you guys create a new video demo with regards to "Cryptowall"...