About the Prueba/Bifrose Trojan
Moderator: Barb@Invincea
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
About the Prueba/Bifrose Trojan
Hi,
Perhaps this info can help to fix the problem, it´s obvious that this trojan behaves differently on different machines, for example it freezed some of my machines and was able to install, on others my HIPS warned me about it trying to modify "explorer.exe".
But anyway, it seems like it´s using the "system debug" method, which is used by some rootkits to bypass a lot of HIPS, some of them have already fixed this, as fast as they could. But I think SBIE does not offer any protection against this. I get these alerts from KAV´s PD:
http://www.sandboxie.com/phpbb/viewtopic.php?t=1655
Perhaps this info can help to fix the problem, it´s obvious that this trojan behaves differently on different machines, for example it freezed some of my machines and was able to install, on others my HIPS warned me about it trying to modify "explorer.exe".
But anyway, it seems like it´s using the "system debug" method, which is used by some rootkits to bypass a lot of HIPS, some of them have already fixed this, as fast as they could. But I think SBIE does not offer any protection against this. I get these alerts from KAV´s PD:
http://www.sandboxie.com/phpbb/viewtopic.php?t=1655
Alright, I added the debug privilege to the list of privileges stripped from sandboxed processes. Please try version 3.00.12:
http://www.sandboxie.com/SandboxieInstall.exe
Note: The BlockDrivers setting disables this stripping when set to N, so make sure it's set to the default BlockDrivers=y.
http://www.sandboxie.com/SandboxieInstall.exe
Note: The BlockDrivers setting disables this stripping when set to N, so make sure it's set to the default BlockDrivers=y.
tzuk
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
What a bummer, seems like this isn´t enough to stop this trojan, it still manages to break out, at least if you don´t stop the suspicious behavior with your HIPS. But tzuk, I´m sure if you try long enough, you will eventually see this behavior on one of your virtual machines, because only then you can solve it, not?
And btw, this Bifrose trojan isn´t really that dangerous but I wonder if SBIE could protect against rootkits who use the same technique, you might want to check out this thread (SBIE still needs to be tested, you might want to contact NicM):
http://www.wilderssecurity.com/showthread.php?t=180969
And btw, this Bifrose trojan isn´t really that dangerous but I wonder if SBIE could protect against rootkits who use the same technique, you might want to check out this thread (SBIE still needs to be tested, you might want to contact NicM):
http://www.wilderssecurity.com/showthread.php?t=180969
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Yeah, it only happens to some people, me, tzuk, street, as well as many others cant "get it to work", only some can "get it to work" which means that its not an exploit in Sandboxie because if it was, then every user would get the same result (which would be the "virus" breaking out of sandboxie), so dont go around saying its a exploit in Sandboxie, cause its not, or else everyone would get the leak. It's most likely something else on your pc that is allowing the "virus" out of the sandbox, but not a problem with Sandboxie itself.
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
-
- Posts: 216
- Joined: Sat Jan 14, 2006 11:08 am
I´m sorry but that sounds like BS to me, just because the trojan does not work on your machines, does not mean that this isn´t a serious problem. I also a have a couple of virtual machines were it doesn´t do a thing. But if it does, it manages to bypass SBIE, and a lot of HIPS will warn you about suspicous behavior, even when it´s executed outside the sandbox.
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
I never said it isnt a serious problem, all i said was that its not a vulnerability in Sandboxie, cause if it was, then it would affect everyone that uses Sandboxie, yet out of all the ppl that have tested this "virus" with Sandboxie, only 5% saw a leak, which means it must be something on your machine(s) thats making it leak out of Sandboxie, as a matter of a fact, you provided proof to what im saying, you said you can run this 'virus' in a VM and it (sometimes) wont bypass Sandboxie, what does that tell ya
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
Is it possible that Sandboxie's default configuration blocks the Trojan, but some folks have modified sandboxie.ini (for legit purposes) which has opened up a hole which is being exploited by the Trojan? It would be interesting for those who have experienced break-out to save their sandboxie.ini file to another name and try the test again using the default settings in sandboxie.ini.
Dan
Another thing to consider is that some other security component is facilitating the operation of this trojan.
Sandboxie doesn't block operations initiated by kernel mode component, because you never know what system instabilities that might introduce. And besides, if you can't trust kernel mode components, you're already in trouble.
What I'm suggesting here is that some other security product may process the trojan's request, consider it legitimate, and then re-issue it from kernel mode. While that's an unlikely scenario, it's certainly not impossible. And this will then cause Sandboxie to allow the request without inspecting it at all, because it came from a trusted kernel mode source.
Rasheed187, you mentioned a few times you use virtual machines. Would you test the trojan in a fresh VM that runs only Windows and Sandboxie?
Sandboxie doesn't block operations initiated by kernel mode component, because you never know what system instabilities that might introduce. And besides, if you can't trust kernel mode components, you're already in trouble.
What I'm suggesting here is that some other security product may process the trojan's request, consider it legitimate, and then re-issue it from kernel mode. While that's an unlikely scenario, it's certainly not impossible. And this will then cause Sandboxie to allow the request without inspecting it at all, because it came from a trusted kernel mode source.
Rasheed187, you mentioned a few times you use virtual machines. Would you test the trojan in a fresh VM that runs only Windows and Sandboxie?
tzuk
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
Thats what i was saying, i think it is something installed on these guys pc's thats allowing the "virus" to leak out of the sandbox, but it isnt a direct vulnerability in Sandboxie as some are trying to make it out to be.tzuk wrote: What I'm suggesting here is that some other security product may process the trojan's request, consider it legitimate, and then re-issue it from kernel mode. While that's an unlikely scenario, it's certainly not impossible. And this will then cause Sandboxie to allow the request without inspecting it at all, because it came from a trusted kernel mode source.
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
-
- Posts: 0
- Joined: Wed Dec 31, 1969 7:00 pm
-
- Posts: 2690
- Joined: Tue Dec 26, 2006 5:44 pm
- Location: West Florida
I dont think so, cause my windows account is an admin account and i still dont get the leak, though you're probably right about the multiple av, am, etc.. being installed at once.booBot wrote: I'm sure - the leaks people see are because of the administrative status of their log-in sessions
Windows 7 SP1 x64, Sandboxie v3.70 x64 with Experimental Protection, GnuPG, OTR (Off-The-Record), Sticky Password, My Brain.
Who is online
Users browsing this forum: No registered users and 1 guest