Re: Sandboxie Isolation Demonstration: Cryptoplocker
Posted: Wed Jun 11, 2014 4:16 pm
We are unable to repro this in-house because CryptoLocker has evolved and we no longer have the original version used in the demo. But, we have been testing other APIs and I think I know what CryptoLocker was doing.
The issue here is that any app in the sandbox can see the actual sandbox folder if it traverses down the directory tree using FindFirstFile/FindNextFile.
E.g. if an app goes searching through the disk, they can go right into C:\Sandbox\admin\DefaultBox, and see everything that is in there. CryptoLocker goes through the entire HD looking for documents and pics. So eventually it will make its way into the real sandbox folder.
We could prevent this from happening by hooking FindFirstFile/FindNextFile, and blocking the app from seeing into the sandbox folder. But I am not sure how much effort this would require and it could easily be thwarted by unhooking. As it is now, it is harmless.
The issue here is that any app in the sandbox can see the actual sandbox folder if it traverses down the directory tree using FindFirstFile/FindNextFile.
E.g. if an app goes searching through the disk, they can go right into C:\Sandbox\admin\DefaultBox, and see everything that is in there. CryptoLocker goes through the entire HD looking for documents and pics. So eventually it will make its way into the real sandbox folder.
We could prevent this from happening by hooking FindFirstFile/FindNextFile, and blocking the app from seeing into the sandbox folder. But I am not sure how much effort this would require and it could easily be thwarted by unhooking. As it is now, it is harmless.