Zone-H successfully tested a  software named Sandboxie that helps the users to prevent the attacks of digital malwares as virus, worms and trojans.

We used the  browser Internet Explorer v 6.0.3790.1830 to test the software,  and Sandboxie v 2.42 to verify if the software was actually capable of block ing any kind of attack attempt by some malware.

The download and installation of the software are sufficiently simple and  once installed, it creates a shortcut in the desktop  where browser can be initiated. When activated, the software  creates a folder in HDD:\DOCUMENTS AND SETTINGS\LOGIN\SANDBOX where all the information of configuration of the software and of the folder will be stored, as if it was something like a virtual HDD where cookies will be archived, together with the history of the websites, download files, temporary files and browser cache...

We enabled Sandboxie and entered in a famous crackers website in order to verify how the software works, then in the main page of the visited website, a popup in JavaScript appeared as soon as the execution of a application in JAVA had begun.

When Java  was enabled by sandbox, it thent created an archive of log of normal java routines and a temporary archives inside the subfolders of "sandbox". After this, the website started trying  to install a Trojan downloader in the system through a buffer overflow.

Since it  was not possible, because Sandboxie doesn't use COM calls from windows, two programs : SandboxieRpcSs and SandboxieDcomLaunch were used to provide a sample of  sandbox  COM framework.  So, in case  the installation of the Trojan wasn't successful, a window would have appeared requiring to make the download of that application.

We downloaded  it on  the folder  called "My Documents" - that was  also a special folder of sandbox. 

Then we got on surfing the crackers' website  but   it tried again to provoke a buffer overflow to run a malicious file with  WMF extension.

 This type of archive is very common among crackers to get remote access across a computer that is not patched for Windows security issues. And when it is successfully installed, it opens a specific door that allows a cracker to control computer remotely. We allowed  the execution of this archive for testing  purpose only, and it happened exactly what we foresaw.

It was blocked because it made Windows COM Framework calls functions but it didn't work because software calls were under the environment created by sandbox COM function.

After these attempts to infect the machine through unprotected navigation in untrust websites, we effectively tested some new viruses ( the ones that had been downloaded thanks to the visited site).

We tested a common Trojan Horse in many computers around the world known as TROJ_VB.AU and a key logger PROAGENT V2.0, a world famous tool used by carders and bankers to create keyloggers servers to send bank numbers and card numbers to crackers, and the viruses that had been downloaded in this crackers site.
We tried to execute the TROJ_VB.AU and software was blocked, the same occurred with the other Trojan horse from crackers site.

Then we Runned the keyloogers creation tool: this is a normal software that works  well (it creates server that can be used to infect remote computers), and it normally saved the server.exe inside  the folder named  "My Documents" sandboxed.

When we tryed executing  server.exe , a virus attempted to install itself into  the register and to create a default folder inside SYSTEM32 directory and to place its inflected files. But all these attempts had been automatically blocked hindering the execution of virus and the infestation of the machine.

Temporary archives can be  very easily cleaned, therefore an option exists,   in the configuration of the software itself, that allows  to clean the folders once closed.

The sofware contains an application called start.exe, that can be use like that "C:\Program Files\Sandboxie\Start" "path-and-name-of-program-to-invoke.exe"  that can be used by an administrator .

Starting any application through the command line, likes browser or mail software, will determine a sufficiently useful software inside of those  corporations  that will sufficiently have related incidence of virus.
With this program the workstation can be configured to introduce the customer of email and browser inside of this virtual environment sandboxed created to prevent the contamination of the station and possibly of all the network range.

Sandiboxie can be download here

Normal software function:

With sandboxie:









 

Crackers site buffer overflow window:





























Virus used in tests under sandboxed folder:




When trying to force a virus to run, this warning appears:

Process list:



Sandboxie can be download here

Comments Index (Total Messages: 4)

WoW Written by Guest on 2006-07-07 22:02:03

no url? Written by Guest on 2006-07-08 01:35:41 Re: no url? Written by Vympel on 2006-07-10 15:51:15

oh nice idea Written by Guest on 2006-07-08 13:51:05

Powered by a Zone-H(ified) version of AkoComment 3.0!