Sandboxie — One of the best security tool

I wrote in the past an article about Sandboxie and its add-ons but I feel a such powerful security tool deserve a  more in depth review. I run a small computers business and there are no rare the cases when people call me or come to me asking for an advice how to remove different malware from the computer, therefore I’m not lacking for malware samples for analysis. Always I ask people when the computer infection occur, what they did before to get that malware, trying to track the infection source. Unfortunately very often the reason why the people get their computers infected are themselves. The people behaviour on the Internet is slightly different in opposition with the behaviour in real life.

Peoples likes to download cracked software from untrusted and unverified sources, likes free sexy videos or likes to click on catchy sexy videos and naked girls photos from Facebook. In real life not anyone will dare to steal things or to take looong looong looks to sexy girls on the street, but on the Internet peoples hides themselves behind the computer screens. Well,  sometimes you must pay the price for not being so wise. Don’t understand me wrong, I’m a normal man and I like also the sexy videos and naked girls(NO Facebook girls !) but I like too a clean computer because I know that my online private life and my banking accounts depends on that.

Furthermore, I’m aware of antivirus software limitations, when accordingly to  NSSLabs everyday 50,000 of new malware are detected daily, when it comes to these new malware variants, the traditional signature based detection method are inexorable destined to fail.

Source : NSSLabs report

Enterprises are most at threat from fresh customized malware. Security companies share malware samples, but if no company sees or detects the malware, it could quietly circulate and potentially infect machines, stealing data. Even if it is undetected for a short period of time, it still is enough a window to infect a corporate network. As many as 50,000 new malicious programs are detected every day.

The malware creators do all possible efforts to makes their malware FUD (Fully Undetectable) for antiviruses and often they succeed. Simple and free security tools as start-up entries checkers, network and processes monitors, online malware analyzers or sandboxes reveal malware presence or help us to prevent the malware installation. In my security tools ranking, Sandboxie occupies one of the highest position for its benefits : running any program including the web browser in an isolated environment, any permanent changes to the system are not possible, thus any accidentally loaded malware will not be able to harm the system.

Running a sandboxed web browser you are able to delete all the browsing history or cookies with a mouse click from the sandbox folder. Besides that one of the most interesting use of the Sandboxie is to test and analyze the programs you don’t fully trust.

The infection source for a customer computer was a modified version of AVG Antivirus 8.0 installation program downloaded from a warez blog. The nice thing here is AVG offer Anti-Virus Edition for free, only AVG Internet Security is to be paid for. From the start I find weird to use Microsoft Self Extractor package as an installer:

installer image

OK, let’s go further and test the application, I open firstly Buster Sandbox Analyzer , shortly BSA a tool for monitoring the sandboxed application behaviour, files and registry changes (in the sandbox) and based on these it is able evaluate the security risks. The tool and instructions for installing it can be found on the official site :  http://bsa.isoftware.nl or on the Sandboxie support forum. It is a good idea to use this tool as it saves raports with changes made by a sandboxed running application, API calls, network traffic if any and overall gives a better perspective about  what it is happening inside the sandbox.

Now that we have BSA running, right click on the tested executable select defaultBox and select “Run Sandboxed”, the installer window appear with the title between number signs, that’s mean the application run sandboxed :

start sandboxed installation

This is a very important stage because all possible malware can be found in the temporary folder of the sandbox. During the running of an infected installer, the embedded executables are dropped in the temporary folder. From there them can be copied somewhere else, submitted to online files analyzers as Anubis or virustotal.com or you can  made further analysis on them yourself. Be very precautious and don’t run them accidentally and take note that many new trojans has anti-sandboxie module inside anti-VMware(virtual machine) or even anti-virustotal.com module and will stop the execution immediately they are detecting a virtual environment giving an execution error to the user. The code used in this anti modules is rather simple, it checks for environment variables–the full executables path, windows titles, their own application name(very often the online analyzers rename the samples submitted sample.exe), running processes(for example if filemon.exe or regmon.exe are running), loaded modules, for example there is anti-sandboxie code that checks using  GetModuleHandle function if SbieDll.dll is loaded. If it’s loaded that mean the executable is sandboxed and GetModuleHandle function will return a handle for it, otherwise will return 0. Now, let’s dig in the sandbox, what can be found ? I made screenshots with full folders path for a better understanding :

sandbox temporary folder

The content of IXP001.TMP folder is very interesting :

inside temporary folder

You don’t need to be an expert to know that server.exe is a dubious program. The vast majority of new trojans or other malware are running on server-client principle. The server are inside the infected computer and supply data, files or informations at the hackers instructions the same how a web-site gives you the possibility to see web-page, navigate trough them or download and upload files. Of course the trojans can have any other names in many cases names that imitate legitimate files as ipodservice.exe or taskmrg.exe(see the difference to avoid a conflict with the existing file taskmgr.exe-taskmrg.exe), servicess.exe, but in this case the hacker does not  bother to “better” rename it, its name is simply server.exe. Look further what I’ve found in  C:\Sandbox\Administrator\DefaultBox\drive\C\WINDOWS sandbox folder :

sandbox system32 view

A lot of dubious executable files and here :

sandbox Windows folder

Another suspect file, host.exe with only 231 bytes in size ?!? I use a  good and free executable viewer, named CFF Explorer, it has executable editor capabilities, hex editor, executables sections and resources  editor, process and drivers viewer memory dumper and even a primitive disassembler for 32 ,64 bits and .NET files. Let’s continue, from the Context Menu(right click) > Open with CFF Explorer and click Hex Editor to have an image of this fake executable, host.exe.

cff explorer screenshot

As you maybe know, any real executable must begin with legendary MZ letters but this seems to be an HTML document with the .exe extension. However an URL can be distinguished :

http://sites.google.com/site/zeroburn000/host.exe

and if you put this in the browser address bar and navigate there, another host.exe file is served for download, a real malware executable file for sure with 23KB in size. This type of malware found in the analyzed installer is called a Downloader trojan, it will download and run without your knowledge another trojan or multiple malware from the web, causing multiple and deeper infections of your system. So far we found two trojans, server.exe from the sandbox temporary folder :

CRC32: 3230623B

MD5: C9066075AF479151FF6A4B48B4A318BC

SHA-1: CEBC95BD98BF6E44AF3BBFDB83E51EB3BF01B010

Here is the virustotal.com analysis report.

And now host.exe downloaded by me from the web for analysis :

CRC32: AFEE0DC1

MD5: 9097F72708417DDB609066C052B510F5

SHA-1: 369D10ECDEF0CA1D3F5B33B47186F46E884C68D0

Here is the virustotal.com report.

As you can see in the report, not all the antiviruses are able to detect this trojan, instead 77%, but this is a lucky case, bear in mind that if we deal with new trojans there is the possibility that none of the antivirus software to detect it. Well known antimalware as SUPERAntiSpyware, ClamAV or DrWeb,  fail to detect this malware even now. OK, now I terminate all the sandboxed processes, let’s see what BSA report. First, the Malware Analyzer module :

malware analyzer screenshot

Details, in partial screenshot for a little size of image :

details of malware analyzer

The conclusion is Buster Sandbox Analyzer does very well its job, it detects a few malware activities on the sandbox and all these without any risk to get our system infected. It has also a files changes and registry changes viewer, online analyzers file submitter, reghive file viewer (for new created registry entries in the sandbox) and many other tools. After closing all programs from the sandbox, the temporary folder content is automatically deleted, but we saw all the actions and we are able to reach a conclusion about the analyzed software.

I hope you understand me now why I consider Sandboxie such a powerful security tool.

Keep safe !

Posted in Thoughts.

59 Responses

Leave a Reply

Your email address will not be published. Required fields are marked *