Sandboxie 3.42 (apparently) alters my Master Boot Record

[JimInNashville]

I tried to post a message on this topic, but I do not see it.

By a careful process of elimination, I seem to have discovered an anomalous behavior from Sanboxie 3.42.

Installing Sandboxie 3.42 produces an indication from GMER's mbr.exe master boot record scanner to the effect that the master boot record has rootkit hooks.
Windows Recovery Console's FIXMBR utility describes the MBR as nonstandard.

I have verified this by reimaging the disk up to the time Sandboxie was installed and replicating the process several times.

Any comments?

[tzuk]

Where did you get your copy of Sandboxie 3.42?

[JimInNashville]

Where did you get your copy of Sandboxie 3.42?

I believe it came directly from the Sandboxie site. The installation file is still on my computer, and I can cross-check it byte-for-byte by downloading another from your site. Let me do that and get back to you.

--Jim

[JimInNashville]

Where did you get your copy of Sandboxie 3.42?

I believe it came directly from the Sandboxie site. The installation file is still on my computer, and I can cross-check it byte-for-byte by downloading another from your site. Let me do that and get back to you.

--Jim

I just re-downloaded, and the files are the same. The original directory from which I installed had two other files in it, called bsa.rar and borderGuard_multi.zip, neither one of which I installed.

[JimInNashville]

Where did you get your copy of Sandboxie 3.42?

I believe it came directly from the Sandboxie site. The installation file is still on my computer, and I can cross-check it byte-for-byte by downloading another from your site. Let me do that and get back to you.

--Jim

I just re-downloaded, and the files are the same. The original directory from which I installed had two other files in it, called bsa.rar and borderGuard_multi.zip, neither one of which I installed.

Let me add that I can provide extensive technical details about my experiences with this -- I have been troubleshooting this with the aid of some people at PrevX for several weeks. Also, I am willing to assist in tracking down whether this is, in fact, a problem with Sandboxie, and interaction between Sandboxie and something else, or whatever. However, any time an MBR is altered stealthily, there is cause for concern. I should mention that I have 3.42 installed on another computer, and there is no indication of any problem with its MBR, which makes this even more mysterious.

[Guest10]

I just re-downloaded, and the files are the same. The original directory from which I installed had two other files in it, called bsa.rar and borderGuard_multi.zip, neither one of which I installed.

The program borderGuard is a contributed utility: contributed by a Sandboxie user. And it is not on Sandboxie's download page.

The download page for Sandboxie Installer v3.42 is reached by clicking on "Download", at the top of any forum page.
http://www.sandboxie.com/index.php?DownloadSandboxie

[JimInNashville]

I just re-downloaded, and the files are the same. The original directory from which I installed had two other files in it, called bsa.rar and borderGuard_multi.zip, neither one of which I installed.

The program borderGuard is a contributed utility: contributed by a Sandboxie user. And it is not on Sandboxie's download page.

The download page for Sandboxie Installer v3.42 is reached by clicking on "Download", at the top of any forum page.
http://www.sandboxie.com/index.php?DownloadSandboxie

Perhaps you misunderstood me. I did not say I downloaded Sandboxie from a page with those two files on it. I said I *installed* Sandboxie on my machine from a directory which currently has Sandboxie 3.42 plus those files in it. To clarify:

I downloaded those files at the time I originally downloaded Sandboxie 3.42.
The file in my directory from which Sandboxie was installed is byte-for-byte identical to the file currently on the Sandboxie download page. This is the file producing the behavior. Prior to installation, Windows Recovery Console and GMER's mbr.exe utility both describe the the MBR as ok. Immediately after installation, both flag the MBR as nonstandard, and GMER says there is a rootkit hook in it. Immediately after uninstalling Sandboxie 3.42, the problem disappears. This points to a distinct possibility (there are others) that Sandboxie 3.42 may be compromised in some way. It is clearly something that needs to be checked out. And, need I remind anyone on this forum, software that is compromised can be deliberately written to deliver its payload *probabilistically*, that is, not deliver the payload most of the time. In fact, any cleverly written malware would have that characteristic. Also, need I add, I think the concept of Sandboxie is terrific, and I very much appreciate the developer's efforts.

[nick s]

And, need I remind anyone on this forum, software that is compromised can be deliberately written to deliver its payload *probabilistically*, that is, not deliver the payload most of the time...

Are you saying that there is a probability that no one can reproduce what you see on your system?

Anyway, let's get down to basics. Modifying the MBR within Windows requires low-level disk access. If I were you, I would do the following:

1. uninstall Sandboxie 3.42

2. verify that you have a standard MBR

3. install a classic HIPS (I would go with Malware Defender) which can detect real-time low-level disk access

4. immediately put Malware Defender in Learning Mode and reboot/use your system a few times

5. once Malware Defender learns your system's basic behavior, install Sandboxie using your 3.42 installer with Malware Defender still in Learning Mode

6. monitor Malware Defender's log window for low-level disk access and copy/paste your log entries here

[Guest10]

To see if this problem shows up, would it be necessary for me to go through uninstalling Sandboxie; run mbr.exe; install Sandboxie; and then run mbr.exe again?
If not, then running mbr.exe on my XP computer with Sandboxie 3.43.08 already installed, I get

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[nick s]

To see if this problem shows up, would it be necessary for me to go through uninstalling Sandboxie...

No, it's not necessary for you or me. JimInNashville claims that installing Sandboxie somehow modifies his MBR. I was suggesting a method of tracing what is happening on his system while he installs Sandboxie.

If not, then running mbr.exe on my XP computer with Sandboxie 3.43.08 already installed, I get

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

I get the same results on XP, Vista, and 7.

[MitchE323]

I also get the same result as Guest10 and Nick s. XPSP3 on Sandboxie 3.42 & 3.43.08.

[JimInNashville]

Nick,

Thanks for these suggestions. I am not casting aspersions on anyone, just trying to get correct answers!

Let me add some more technical details, because I have been through quite a bit over the last several weeks.

My system was originally infected with a trojan that was manifested by the repeated appearance of a file called "windefence32.exe". Attempts to clean it were initially unsuccessful, as when erased, the file immediately reappeared (ditto with registry entries), although PrevX eventually succeeded. There was enough collateral damage that I decided to erase all partitions, create just one partition, reformat NTFS, and reinstall WinXP and all software. After doing this, I noticed via mbr.exe that the MBR was apparently improper. But this was after reinstalling Sandboxie.
To sum up what I was seeing at the time:

a. Once fully into WinXP, if I did Run-->cmd
then mbr.exe, I received an error message.

b. In Safe Mode, there was no error message.

c. Booting into the Windows recovery console from the WinXP Dell OEM disk, I ran FIXMBR and was told that the boot record was nonstandard.

Prevx Support examined GMER scans of my system, and, although Giganews Accelerator touches off what appear to be false positive rootkit indications, they said my system looked very clean.

Not entirely satisfied, I used Active@Killdisk to zero my entire drive, then did clean reinstall of XP and, step by step, my drivers and software, imaging as I went in stages, using Terabyte Image for Linux. All images were produced outside the OS. After installing Sandboxie 3.42, the MBR indication suddenly recurred, although uninstalling Sandboxie seemed to remove the problem.

So you can see why I am puzzled, and, in the interest of all, trying to get a definitive answer. So thanks to everyone for any suggestions. Note that I have a clean system now, and have no need to be here other than the public interest and my own intellectual curiosity.

--Jim

And, need I remind anyone on this forum, software that is compromised can be deliberately written to deliver its payload *probabilistically*, that is, not deliver the payload most of the time...

Are you saying that there is a probability that no one can reproduce what you see on your system?

Anyway, let's get down to basics. Modifying the MBR within Windows requires low-level disk access. If I were you, I would do the following:

1. uninstall Sandboxie 3.42

2. verify that you have a standard MBR

3. install a classic HIPS (I would go with Malware Defender) which can detect real-time low-level disk access

4. immediately put Malware Defender in Learning Mode and reboot/use your system a few times

5. once Malware Defender learns your system's basic behavior, install Sandboxie using your 3.42 installer with Malware Defender still in Learning Mode

6. monitor Malware Defender's log window for low-level disk access and copy/paste your log entries here

[JimInNashville]

To follow up on the above, here is what I posted on the PrevX Support Log several days ago:

I discovered something that may be of use:

I booted into Safe Mode, and ran MBR.EXE. It said my MBR is fine:
Here is the log
---------Log in Safe Mode----------------------
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
-----------------------------

Same computer, I booted as normal into Windows XP. I ran MBR.EXE by running cmd
and it said I still have the problem. Why would mbr.exe produce different results in
Safe Mode and Regular Win XP Mode?

Log in Windows XP Standard Mode

-----------------
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor - (greater than) 0x89a86620
IoDeviceObjectType - (greater than) ParseProcedure - (greater than) 0x88b131b0
\Device\Harddisk0\DR0 - (greater than) ParseProcedure - (greater than) 0x88b131b0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
------------------------------

My computer seems to be running perfectly, but this inconsistency is very worrisome.
And, the Recovery Console still says the MBR is non-standard, and running FIXMBR does not change that.


=======================

To see if this problem shows up, would it be necessary for me to go through uninstalling Sandboxie...

No, it's not necessary for you or me. JimInNashville claims that installing Sandboxie somehow modifies his MBR. I was suggesting a method of tracing what is happening on his system while he installs Sandboxie.

If not, then running mbr.exe on my XP computer with Sandboxie 3.43.08 already installed, I get

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

I get the same results on XP, Vista, and 7.

[soccerfan]

JimInNashville,
Please test sandboxie 3.42 on a different, 'non-infected' machine.
Only the results of such a test will give you a conclusive answer.

[tzuk]

JimInNashville: You quoted something about IoDeviceObjectType in your last comment. I can tell you that Sandboxie does extend/intercept this operating system object. But:

(1) The intention is not for Sandboxie to take over your MBR or to be a rootkit. I hope that much is obvious by now.

(2) Other stuff in your system might also mess with IoDeviceObjectType and perhaps that stuff is responsible for the warnings, because ...

(3) ... You should note that other people running Sandboxie did not see the warning related to IoDeviceObjectType.