sandboxie



  • anyone used sandboxie for looking at links in malware? I mean like wrap the browser in a sandbox?



  • Yeah I have but I don’t use it a whole ton. Usually I just use a lab machine for that. However, if I were needing to look at questionable links on my main box, I would wrap the browser in a sandbox for sure. It’s important to note that a sandbox won’t prevent in-session spying or even keylogging necessarily… But it should prevent the malware or spyware from touching other areas of the computer and other applications.



  • This post is deleted!


  • So this is good for isolating the environment only but not for an in-depth analysis?



  • @wunderbar said in sandboxie:

    So this is good for isolating the environment only but not for an in-depth analysis?

    The problem with sandboxing is that malicious software can actually identify presence of a sandbox and thus it may then proceed to alter it’s behavior on-the-go to trick the victim testing it out in a sandbox beforehand. This doesn’t mean sandboxing is bad, it really isn’t, and it’s a good practice to apply if you can handle it.

    Bear in mind that data theft may still be possible under a sandbox environment. It depends on the sandbox in question and configuration for the sandbox, so you should still be careful with it.

    If you want to be even safer, use a Virtual Machine. This will truly isolate the software since you’ll be executing it on a Guest environment which is being handled by real virtualisation technology (the hyper-visor - hardware-assisted technology).



  • @ntopcode

    Isn’t a Windows Store “App Container” very much like a Sandboxie sandbox?



  • I would not use Sandboxie for malware analysis because this is far too dangerous for your host system.
    It is just a container with a few more restrictions that runs in your OS. It is more lightweight, but also less secure than a VM.

    An actual Virtual Machine is safer. There is always the possibility that malware can escape, but it rarely happens for VMs. Most malware with VM detection capabilities refuses to work on VMs (to avoid analysis) instead of becoming more violent.

    Exploits for sandboxes on the other hand are more common. It is possible to break out of Sandboxie and to execute any code on the main system. The vulnerability to those kinds of exploits is part of the design of a Sandbox, thus, it cannot be fixed.

    There are several papers about this topic. E.g.:
    https://bromiumlabs.files.wordpress.com/2013/07/application_sandboxes_a_pen_tester_s_perspective2.pdf
    https://media.blackhat.com/eu-13/briefings/Wojtczuk/bh-eu-13-thes-sandbox-wojtczuk-slides.pdf
    https://threatpost.com/using-kernel-exploits-bypass-sandboxes-fun-and-profit-031813/77638

    Some quotes from the first paper:

    • "We tested an exploit for CVE-2012-0217 in the Sandboxie confinement on an x86_64 platform running the default Windows 7 SP1 kernel. Our exploit worked flawlessly, and allowed us to run arbitrary code in kernel mode. "

    • “The default installation of Sandboxie did not prevent any keylogging whatsoever. The attacker had full access to the key logging activity of the entire machine.”

    • “Sandboxie was not able to prevent stealing from the clipboard and the attacker had full access to the victims host clipboard.”

    • "Sandboxie allows access to the network shares from within the sandbox. "

    • “Our testing proves that due to the large exposure to the OS, a lot of sandboxes aren’t able to completely protect against undesired access. This is indeed a concern since these sandboxes are designed to expect execution of ‘untrusted’ code.
      […]
      Type A sandboxes [includes Sandboxie] by design, are vulnerable to a relatively large attack surface.”



  • Ya also you can’t run stuff like process monitor in sanboxie… It can’t properly access the kernel driver.



  • @Struppigel ya I agree, @wunderbar I would recommend using a vm proxied with whonix and checking the uri calls with fiddler (add-on ekfiddle).



  • @ziran that’s a killer setup :)


Log in to reply