About the Prueba/Bifrose Trojan

[Rasheed187]

Hi,

Perhaps this info can help to fix the problem, it´s obvious that this trojan behaves differently on different machines, for example it freezed some of my machines and was able to install, on others my HIPS warned me about it trying to modify "explorer.exe".

But anyway, it seems like it´s using the "system debug" method, which is used by some rootkits to bypass a lot of HIPS, some of them have already fixed this, as fast as they could. But I think SBIE does not offer any protection against this. I get these alerts from KAV´s PD:





http://www.sandboxie.com/phpbb/viewtopic.php?t=1655

[street011]

i tried the trojan... it runs... then it stops... nothing happens...
after reboot i deleted my sandbox folder and scanned with NOD32... nothing was found

[tzuk]

Alright, I added the debug privilege to the list of privileges stripped from sandboxed processes. Please try version 3.00.12:

http://www.sandboxie.com/SandboxieInstall.exe

Note: The BlockDrivers setting disables this stripping when set to N, so make sure it's set to the default BlockDrivers=y.

[Rasheed187]

What a bummer, seems like this isn´t enough to stop this trojan, it still manages to break out, at least if you don´t stop the suspicious behavior with your HIPS. But tzuk, I´m sure if you try long enough, you will eventually see this behavior on one of your virtual machines, because only then you can solve it, not?

And btw, this Bifrose trojan isn´t really that dangerous but I wonder if SBIE could protect against rootkits who use the same technique, you might want to check out this thread (SBIE still needs to be tested, you might want to contact NicM):

http://www.wilderssecurity.com/showthread.php?t=180969

[street011]

what breaks out? i tried it here... nothing happens?

[SnDPhoenix]

Yeah, it only happens to some people, me, tzuk, street, as well as many others cant "get it to work", only some can "get it to work" which means that its not an exploit in Sandboxie because if it was, then every user would get the same result (which would be the "virus" breaking out of sandboxie), so dont go around saying its a exploit in Sandboxie, cause its not, or else everyone would get the leak. It's most likely something else on your pc that is allowing the "virus" out of the sandbox, but not a problem with Sandboxie itself.

[Rasheed187]

I´m sorry but that sounds like BS to me, just because the trojan does not work on your machines, does not mean that this isn´t a serious problem. I also a have a couple of virtual machines were it doesn´t do a thing. But if it does, it manages to bypass SBIE, and a lot of HIPS will warn you about suspicous behavior, even when it´s executed outside the sandbox.

[SnDPhoenix]

I never said it isnt a serious problem, all i said was that its not a vulnerability in Sandboxie, cause if it was, then it would affect everyone that uses Sandboxie, yet out of all the ppl that have tested this "virus" with Sandboxie, only 5% saw a leak, which means it must be something on your machine(s) thats making it leak out of Sandboxie, as a matter of a fact, you provided proof to what im saying, you said you can run this 'virus' in a VM and it (sometimes) wont bypass Sandboxie, what does that tell ya

[street011]

i just created a VM... and tested it inside sandboxie... it did nothing...
it did work outside the sandbox though...

[dlguild]

Is it possible that Sandboxie's default configuration blocks the Trojan, but some folks have modified sandboxie.ini (for legit purposes) which has opened up a hole which is being exploited by the Trojan? It would be interesting for those who have experienced break-out to save their sandboxie.ini file to another name and try the test again using the default settings in sandboxie.ini.

[tzuk]

Another thing to consider is that some other security component is facilitating the operation of this trojan.

Sandboxie doesn't block operations initiated by kernel mode component, because you never know what system instabilities that might introduce. And besides, if you can't trust kernel mode components, you're already in trouble.

What I'm suggesting here is that some other security product may process the trojan's request, consider it legitimate, and then re-issue it from kernel mode. While that's an unlikely scenario, it's certainly not impossible. And this will then cause Sandboxie to allow the request without inspecting it at all, because it came from a trusted kernel mode source.

Rasheed187, you mentioned a few times you use virtual machines. Would you test the trojan in a fresh VM that runs only Windows and Sandboxie?

[street011]

thats what i did tzuk, clean windows install (without any updates or software or drivers) installed sandboxie and started testing.

[SnDPhoenix]

What I'm suggesting here is that some other security product may process the trojan's request, consider it legitimate, and then re-issue it from kernel mode. While that's an unlikely scenario, it's certainly not impossible. And this will then cause Sandboxie to allow the request without inspecting it at all, because it came from a trusted kernel mode source.

Thats what i was saying, i think it is something installed on these guys pc's thats allowing the "virus" to leak out of the sandbox, but it isnt a direct vulnerability in Sandboxie as some are trying to make it out to be.

[Unknown_User_451]

I did not test the discussed trojan, but...

I'm sure - the leaks people see are because of the administrative status of their log-in sessions compounded with the [high] number of AM|AT|AV|AK|Awhatever packages.

[SnDPhoenix]

I'm sure - the leaks people see are because of the administrative status of their log-in sessions

I dont think so, cause my windows account is an admin account and i still dont get the leak, though you're probably right about the multiple av, am, etc.. being installed at once.