Cryptolocker Ransomware threat

If it's not about a problem in the program
henryg
Posts: 520
Joined: Wed Nov 22, 2006 9:38 am

Post by henryg » Sun Nov 17, 2013 7:54 am

So if, as in this case, Outlook.exe has full access and a trojan attachment is opened, can't that save itself outside of the sandbox and then do its nefarious deeds later?

My vulnerability comes from Thunderbird which I do not run sandboxed, but perhaps I should. However, as I would need to save the email data files (attachments therefore included) outside the sandbox, I have never been able to see how running it sandboxed would help.

I see Cryptolocker (and doubtless more such to follow) as a game changer, and I am anxious to have as much security as possible on top of AV, HitmanPro.Alert, Group Policy restrictions, and local and cloud backup.
Henry

SuffolkPunch
Posts: 27
Joined: Mon Dec 01, 2008 5:24 am
Location: UK

Post by SuffolkPunch » Sun Nov 17, 2013 11:41 am

henryg wrote:My vulnerability comes from Thunderbird which I do not run sandboxed, but perhaps I should. However, as I would need to save the email data files (attachments therefore included) outside the sandbox, I have never been able to see how running it sandboxed would help.
I run T'bird sandboxed - using the default SB settings under Applications/EmailReader/Thunderbird.

I understand from previous replies from tzuk and Guest10 that this gives the Sandboxed T'bird process (and only that process) read/write access to the Thunderbird standard folders outside the sandbox (and only to those folders).

If an email with a malware executable attached is received, then that email (+malware) will get written to the Thunderbird mail folder outside the sandbox - unless you delete the email. But, if the email is only ever read by a sandboxed T'bird, then (from previous replies) it cannot write to storage on your pc outside the sandbox. So - in that sense - your pc is unaffected. *However* the malware will probably be able to read your documents stored outside the sandbox and, if it could also upload them to an internet server, then that wouldn't be good!

Anyone: have I got that right? If so, can SB be configured to prevent this?

bo.elam
Sandboxie Guru
Sandboxie Guru
Posts: 2809
Joined: Wed Apr 22, 2009 9:17 pm

Post by bo.elam » Sun Nov 17, 2013 12:46 pm

SuffolkPunch wrote:*However* the malware will probably be able to read your documents stored outside the sandbox and, if it could also upload them to an internet server, then that wouldn't be good!

Anyone: have I got that right? If so, can SB be configured to prevent this?
I don't use Thunderbird but you probably can restict programs as I use to do in Outlook Express when I used it. OE and Firefox were the only programs that I allowed to have internet access and only those programs and Foxit were allowed to run. That worked well for me and I also blocked access to personal files and folders.

I think that's exactly what I would be doing if I was using Thunderbird. Henry, the only time that I ran OE out of the sandbox, was immediately after an update. It doesn't matter the email client, if I was using one now, I cant see myself not running it sandboxed,.

Bo

Guest10
Posts: 5124
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Post by Guest10 » Sun Nov 17, 2013 1:20 pm

henryg wrote:So if, as in this case, Outlook.exe has full access and a trojan attachment is opened, can't that save itself outside of the sandbox and then do its nefarious deeds later?
It's the same situation as having a malicious extension installed in Firefox. If the extension has firefox.exe do its dirty work, then any file or folder that Firefox has direct access to is vulnerable.

Extensions are normally installed in Firefox when not sandboxed, so you always need to be cautious when adding them, since they will also run when Firefox is sandboxed. The Sandboxie phishing template for Firefox allows Mozilla to keep the Firefox "blocklist.xml" file up to date, with their list of extensions that have been found to present a vulnerability and should be blocked from running.
Portable Firefox users get no benefit from using that template though, since their Firefox profile folder is probably not located where the template assumes it to be.

If malware affects Outlook, and then uses outlook.exe to do its dirty work, then it would likely have to infect the unsandboxed outlook.exe file. Again, Outlook users need to be very careful about anything that they add to Outlook (or Thunderbird).

I don't know the infection mechanism that CryptoLocker uses. If it uses its own .exe program, then:
Sandboxie's Start/Run Restrictions can stop it from running. Even if it you don't use Start/Run Restrictions, and the .exe program starts encrypting copies of the user's files, those files are still inside the sandbox if the CryptoLocker .exe program has not been given any direct access setting.
henryg wrote:My vulnerability comes from Thunderbird which I do not run sandboxed, but perhaps I should. However, as I would need to save the email data files (attachments therefore included) outside the sandbox, I have never been able to see how running it sandboxed would help.
It will help to run it sandboxed IF YOU make sure that TB always runs sandboxed when you are opening emails. The fact that those emails are stored outside of the sandbox won't matter, since sandboxed TB opens them in the sandbox.
The easiest way to insure that TB runs sandboxed is to force it to do so, except when you want to update TB or it's extensions.

You can always add sandbox settings for folders that you want to block or hide from sandboxed programs, in case something malicious runs sandboxed. I typically hide my Documents folder in all of my sandboxes, by using a Write-Only Access setting. In some of them I also use a Quick Recovery folder setting for the Documents folder.
That means that I can still save something to the Documents folder when sandboxed, and then Recover it. But in the mean-time, the folder appears to be empty to the sandboxed programs. You can't do that if you use the Blocked Access setting.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007

henryg
Posts: 520
Joined: Wed Nov 22, 2006 9:38 am

Post by henryg » Mon Nov 18, 2013 12:10 pm

Thanks for the replies. I have not been thinking clearly or correctly, and I will be setting up a separate sandbox for Thunderbird.


Henry
Henry

Nix
Posts: 248
Joined: Wed Sep 11, 2013 12:15 am
Location: Philippines

Post by Nix » Mon Nov 18, 2013 7:42 pm

The best thing you should do is;
*run Thunderbird in a seperate sandbox,
*add Internet<>Stat/Run (MS office and TB),
*add C:\Program Files\Thunderbird.exe(File Access>Read Only Access), and
*add C:\User or Documents (Write-file access).
Regards,
Nix

Win7 Ultimate (x64)

Image

henryg
Posts: 520
Joined: Wed Nov 22, 2006 9:38 am

Post by henryg » Tue Nov 19, 2013 5:02 am

Nix wrote:The best thing you should do is;
*run Thunderbird in a seperate sandbox,
*add Internet<>Stat/Run (MS office and TB),
*add C:\Program Files\Thunderbird.exe(File Access>Read Only Access)
I may have to add Foxit and the odd other program, but looks the way to go.
*add C:\User or Documents (Write-file access).
I think I will try limiting write access to my Thunderbird folders - data and profiles - which are not in the default locations so is quite easy. Oh, and drop rights too.

I set up a new sandbox yesterday but messed up somewhere; which is quite dangerous when you have set Thunderbird to delete mail from the server once downloaded :oops: :roll:

Thanks for the suggestions.
Henry

Guest10
Posts: 5124
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Post by Guest10 » Tue Nov 19, 2013 7:54 am

henryg wrote:I think I will try limiting write access to my Thunderbird folders - data and profiles - which are not in the default locations so is quite easy.
The Thunderbird template assumes that your TB profile is located:
Tmpl.Thunderbird=%Local AppData%\Thunderbird
so if it is not, then you will need to use Sandbox Settings > Applications > Folders to point to the correct folder.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007

henryg
Posts: 520
Joined: Wed Nov 22, 2006 9:38 am

Post by henryg » Tue Nov 19, 2013 3:03 pm

Guest10 wrote:
henryg wrote:The Thunderbird template assumes that your TB profile is located:
Tmpl.Thunderbird=%Local AppData%\Thunderbird so if it is not, then you will need to use Sandbox Settings > Applications > Folders to point to the correct folder.
That was a big help, thank you, and then I found that I had set up file access blocks in a sandbox I had copied to start with. I think that "getting there" is the best description at present.

Henry
Henry

Nix
Posts: 248
Joined: Wed Sep 11, 2013 12:15 am
Location: Philippines

Post by Nix » Tue Nov 19, 2013 6:24 pm

Regards,
Nix

Win7 Ultimate (x64)

Image

henryg
Posts: 520
Joined: Wed Nov 22, 2006 9:38 am

Post by henryg » Wed Nov 20, 2013 4:23 am

Almost there now...I think.

But what do I need to do to allow Excel 2010 to run so I can look at attachments? I suspect the problem is related to (read?) access for addons and common programs, but a search here didn't come up with anything helpful.

(Win)Word seems to run ok, at least to open a file.


Henry

ps Is anyone seeing Firefox (26 beta in my case) text selection keyboard entry running slowly when sandboxed when using arrow keys + shift or ctrl-shift? Using shift + home/end/page keys doesn't give a problem.
Henry

henryg
Posts: 520
Joined: Wed Nov 22, 2006 9:38 am

Post by henryg » Wed Nov 20, 2013 4:33 am

Reading "The attached ZIP file contains an executable file with filename and icon disguised as a PDF file, taking advantage of Windows' default behaviour of hiding the extension from file names to disguise the real .EXE extension. " makes me feel a lot better. Famous last words, but I don't expect the hidden extension 'trick' to cause me a problem.
Henry

henryg
Posts: 520
Joined: Wed Nov 22, 2006 9:38 am

Post by henryg » Wed Nov 20, 2013 11:13 am

It seems to be working ok in the main now, although one problem remains. I can no longer right-click on a file and use "send to" mail recipient (Windows 7 x64). Thunderbird starts, but a new email with the attachment does not open.

I have even tried giving full access to the attachment folder, but it made no difference.

Henry
Henry

Guest10
Posts: 5124
Joined: Sun Apr 27, 2008 5:24 pm
Location: Ohio, USA

Post by Guest10 » Wed Nov 20, 2013 12:31 pm

henryg wrote:I can no longer right-click on a file and use "send to" mail recipient (Windows 7 x64). Thunderbird starts, but a new email with the attachment does not open.
Yes, that hasn't been working with sandboxed TB. I believe it was that way even with v3, but I'm not certain since I don't use it.
You also can't drag and drop an attachment into TB's attachments box, if you have it open.
I always use the Attach button on TB's toolbar, and navigate to the file.
Paul
Win 10 Home 64-bit (w/admin rights) - Zone Alarm Pro Firewall, MalwareBytes Premium A/V, Cyberfox, Thunderbird
Sandboxie user since March 2007

henryg
Posts: 520
Joined: Wed Nov 22, 2006 9:38 am

Post by henryg » Wed Nov 27, 2013 9:30 am

I have decided to open unknown or suspicious attachments in a sandbox as I miss 'send to mail recipient' too much. Bit more dangerous, but I think it should be ok - famous last words. But I have kept the sandbox in case I change my mind - just not forced the exe.

Thanks again for all the comments and advice.
Henry

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest