Petya!

[Nix]

Hi,

For those who test malware, has anyone tried running Petya in SBIE?!

[Dirk41]

i am absolutely not an expert and i don't test viruses but i'd suggest you to test it on a VM ,because it is a new and strong virus that nobody ,i think, knows how it works exactly yet.
not saying SBIE can't handle it, just saying stay safe

[Peter2150]

The real question is does Sandboxie prevent over writing the MBR

[Craig@Invincea]

If the MBR code is written when the disk is partitioned, and SBIE doesn't permit driver installations.

The .dll access to write to the drive would need a driver, and that wouldn't be permitted in SBIE.

The I/O communication, In theory, could be be written to directly I assume, but that would take a lot reverse engineering, etc. It's far from an easy process.

However, we block known exploits, like the the mount volume issue that was posted on YouTube last year. Sure, there are other vectors, do we know all of them? No. But common ones? Yep.

Have we had Bounties to ID certain ones? Particularly like what you mentioned? Yes. And they could not come up with anything that we didn't already know? Nope. That's with a significant $ bounty late last year. Doesn't mean 100%, as nothing is, but it shows the resilience of SBIE.

That's why if we find out about a possible exploit or even become suspicious of one, we jump on it.

[Peter2150]

HI Craig

In this case the mbr isn't written when a disk is partition. If the malware is allowed to run then the first thing it does is over write the mbr. Then it reboots and presents a fake Chkdsk run at which point it encrypts the MFT. So the preventative is not allowing a write to the mbr.

Worst part is if someone falls for the human engineering part of this they probably wouldn't be running in Sandboxie.

[Craig@Invincea]

Ah, yes. Security starts with the human. That's the best defense...or the weakest.

[Nix]

@Craig

After posting this question I did ask another from MT this was her answer:

I just ran Petya, Winlocky, and a version 4 of my Chaos scriptor (really devastating- I'm so proud!) against SBIE and the protection was absolute. The system was as happy and healthy as it was prior to running the malware.

Can you make a demo of SBIE against Petya?! Probably updating the cryptolocker demo in this site.

[Mr.X]

Can you make a demo of SBIE against Petya?! Probably updating the cryptolocker demo in this site.

I agree. This will bring much more attention to Sandboxie's capabilites and works as advertisement as well. I'd like to see videos MalwareX vs. Sandboxie in this forum.

[Craig@Invincea]

According to the reports, it's a program disguised as HR program..which is a good target for social engineering..
It then requests a reboot to install the "software..."
it then displays a fake chkdsk message while it corrupts your MBR and encrypts your drive.

I'm curious about the reboot...does it ask? or does it just....poof gone?

SBIE doesn't allow a reboot. So, that alone will defeat that. But if your recover the file, and then do it...well...you're on your own.

It appears the encryption is rudimentary at best. And Ars has stated they have success getting around it according to reports they cited..but that's all well and good for professionals...not so much for your small office or Enterprise victim, etc.
http://arstechnica.com/security/2016/03 ... hard-disk/

[Peter2150]

According to the reports, it's a program disguised as HR program..which is a good target for social engineering..
It then requests a reboot to install the "software..."
it then displays a fake chkdsk message while it corrupts your MBR and encrypts your drive.

I'm curious about the reboot...does it ask? or does it just....poof gone?

SBIE doesn't allow a reboot. So, that alone will defeat that. But if your recover the file, and then do it...well...you're on your own.

It appears the encryption is rudimentary at best. And Ars has stated they have success getting around it according to reports they cited..but that's all well and good for professionals...not so much for your small office or Enterprise victim, etc.
http://arstechnica.com/security/2016/03 ... hard-disk/

Hi Criag

1. That article isn't quite accurate. Even if Petya is full installed the article is wrong about the only choice is pay up. If you have a disk image from any of the good imaging programs, all you need to do is a full restore and you are back in business.

2. SBIE. That it doesn't permit reboot is good, but, if it allows the over right of the mbr, then you can't later reboot without continuing the infection. So you are saying the MBR can be over written in SBIE?

Pete

[Craig@Invincea]

SBIE. That it doesn't permit reboot is good, but, if it allows the over right of the mbr, then you can't later reboot without continuing the infection. So you are saying the MBR can be over written in SBIE?

No.
Even it it tried to run a script to "write" to the MBR (example..bootrec /fixboot) it's in the SB, and unless it can break out of the sandbox - do it's MBR thing -otherwise, any "writing" is done there...in the SB... which would have no impact. I wonder if that malware will even run? SBIE tries to "fake" that writing for so that programs assume everything is okie dokie. But if it gets unknown feedback, then it may just crap out.

If that file is recovered, and then run..well, game on.

Whats not clear..is when all of this takes place..and is only the encryption going on behind that Chkdsk message?

[Peter2150]

SBIE. That it doesn't permit reboot is good, but, if it allows the over right of the mbr, then you can't later reboot without continuing the infection. So you are saying the MBR can be over written in SBIE?

No.
Even it it tried to run a script to "write" to the MBR (example..bootrec /fixboot) it's in the SB, and unless it can break out of the sandbox - do it's MBR thing -otherwise, any "writing" is done there...in the SB... which would have no impact. I wonder if that malware will even run? SBIE tries to "fake" that writing for so that programs assume everything is okie dokie. But if it gets unknown feedback, then it may just crap out.

If that file is recovered, and then run..well, game on.

Whats not clear..is when all of this takes place..and is only the encryption going on behind that Chkdsk message?

So bottom line is Sandboxie protects. Good news and not really a surprise.

Craig from what I've read the malware overwrites the MBR, and places the encryption stuff in some sectors on the disk, reboots the system, presents the fake Chkdsk, and while that's on screen, picks up what it placed in those sectors and encrypts the mft, so once the initial reboot takes place I don't think the system ever see's windows again.

[Craig@Invincea]

These are becoming the "norm" now.
We had a major healthcare provider in the DC Metro is hit this week with the FBI looking into it, Invincea was interviewed on local news to commentate about that....
A popular restaurant chain got ransomware on their PoS system, and they were closed for 2 WEEKS....why they didn't use paper and pens is another discussion.

Fox5DC video here...and the Invincea commentary. About 1:20 into the video. http://www.fox5dc.com/news/114067856-story

[Dirk41]

guys,i asked to a person on malwaretips that periodically posts tests against ransomware. she says SBIE can handle petya

[Craig@Invincea]

guys,i asked to a person on malwaretips that periodically posts tests against ransomware. she says SBIE can handle petya

As long as everything is done in the sb, yep. no worries. Even if Petya"wrote" to what it thought was the MBR, and say...you rebooted, etc. You'd still be ok. As what it's writing "to" is a fake path. And if it thought it wrote correctly...and even it it did do everything correctly, a reboot, etc, would do nothing. Just like any writing "to" any location in a sb, MBR or otherwise.