Sandboxie detection

[Nenner]

N. Rin and EP_X0FF made a great work over virtual machine (VM) and sandbox detection in current malware.

As a short conclusion: Sandboxie does so many modifications to the sandboxed
process so detecting fact of sandboxing is a trivial task even if the above described methods
will be out-dated.

As for Sandboxie, with its current implementation
it cannot be hidden at all and not recommended as platform for malware research. More to
say we would not recommend using this product on real PC on the regular basis as well, and
if you still plan use it for malware research then do this only inside additionally controlled
environment such as, you might already guess, virtual machine.

http://www.heise.de/security/downloads/ ... 9/vmde.pdf

I would love to see a statment from the devolepers of Sandboxie.

[Buster]

The debate about this does not exist. If nobody can provide a malware or POC able to write to real system, saying that Sandboxie is not secure is just blah blah blah.

[Nenner]

Nobody is saying that Sandboxie is not secure. Please read the paper.

The problem is that it is very easy to check, if your code runs in Sandboxie or not.
This is a huge problem if you test new software in sandboxie to check if it is malicious or not,
and then use it on your main System.

The malicious code could simply be skipped in the sandbox.

[SLE]

Sandboxie is not made for malware analysis and never was. Sandboxie is for safe use of programs that are often attacked by malware. If malware detects that it is in sandboxie and thatswhy not runs - who cares? You stay safe.

Beside the good technical analysis of the paper - it's a known fact that sandboxie can easyly be detected. Beside that, the market share is very low and there is not much sandboxie aware malware until now.

[deugniet]

Nobody is saying that Sandboxie is not secure. Please read the paper.

The problem is that it is very easy to check, if your code runs in Sandboxie or not.
This is a huge problem if you test new software in sandboxie to check if it is malicious or not,
and then use it on your main System.

The malicious code could simply be skipped in the sandbox.

Try Buster Sandbox Analyzer (http://bsa.isoftware.nl/)

"A common problem to all malware analyzers is that malwares can detect they are running under a malware analyzer environment or virtual machine and abort execution. The only way to solve this problem would be using a private malware analyzer so malware coders ignore it exists and are unable to add checkings to detect it.


Note: Buster Sandbox Analyzer package includes countermeasures against malwares detecting Sandboxie´s presence."

[Curt@invincea]

The difficulty with malware analysis is that very sophisticated malware can tell it is being analyzed and will behave differently or not function at all. For example, malware can tell it if is sandboxed, or running in a VM, and it can also check for debuggers, analyzers, etc. The malware does not need to know the details of the analyzer. All it has to do is check for the presence of anything that is not part of the normal OS. This is why you can't test executables under any kind of analysis/security software and assume they are 100% clean and safe.

But, this is also a trap for the malware writers. Because now their malware won't run at all if the user has protection software.

[Buster]

But, this is also a trap for the malware writers. Because now their malware won't run at all if the user has protection software.

Not to mention that any software which checks for Sandboxie or VM presence is automatically suspicious of being a malware.