Expanded Commentary on Destroying Sandboxes
Following the explosion in popularity of the article on Destroying Sandboxes, it seemed that a number of readers were still curious about what it was that was being reported on.
Firstly, to clear up any misconceptions:
- Yes, S?nnet Beskerming researchers are fully aware of hypervisor rootkits, Red Pill, Blue Pill, and malware that is aware of the presence of VMWare and VirtualPC-style virtual sessions (as the article referenced).
- Yes, S?nnet Beskerming researchers are fully aware of malware that can target antimalware applications, and that there are plenty of means available to target these applications without needing to resort to breaking out of the sandbox.
S?nnet Beskerming researchers are also aware that these new approaches are the logical derivation of techniques and methods used to target VMWare and other system-wide virtual sessions (as the article described) and may have already been discussed amongst smaller groups.
What prompted the article was the discovery of well-written, clearly explained techniques and source code that explored the sandboxes created by Norman products. Not only were these techniques being discussed and made available in an open manner, but they reflected an almost-complete general approach to attacking sandboxing software.
Also setting this new code apart from previous virtual-machine detection is the addition of routines and investigation of opportunities to reach out from inside the sandbox and potentially control the host system. Given that previous samples were almost exclusively about detecting the virtualised session, this addition is interesting and worth noting.
Finally, as these techniques spread wider and gain more use in new malware samples the job of the antimalware developers and companies becomes that much more difficult, as another section of their own software is turned against the system it is trying to protect.
18 July 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.