Can malware steal data while sandboxed ?

Ohazar · September 18, 2012, 8:10pm

Hi

I use CIS, and this afternoon a malware tried to install itself on my machine through an ad-page (adfly). CIS told me it had sandboxed a processus (partially), but the malware still managed to reboot my pc.

Apparently there is no malware in the process list after reboot, but I still have a doubt - I’m not sure the sandbox worked fine. Also, is it possible it stoled data (firefox saved passwords) and sent them on the internet ? CIS didn’t mention anything about it, but since the malware managed to reboot the machine, I’m really not sure about it, and I’m a bit (really) scared.

Can someone help me please about this ?
Thank you

Here is the CIS log on these events :

[tr][td]Date[/td][td]Programme [/td][td]Action[/td][td]Destination[/td][/tr]
[tr]
[td]2012-09-18 14:42:38[/td]
[td]C:\Users\Mani\AppData\Local\Temp\03OhmWv.exe[/td]
[td]Exécuté dans la Sandbox comme [/td]
[td]Partiellement limité [/td]
[/tr]
[tr]
[td]2012-09-18 14:42:39 [/td]
[td]C:\Users\Mani\AppData\Local\Temp\03OhmWv.exe [/td]
[td]Exécuté dans la Sandbox comme [/td]
[td]Partiellement limité [/td]
[/tr]
[tr]
[td]2012-09-18 14:42:44 [/td]
[td]C:\Users\Mani\AppData\Local\Temp\03OhmWv.exe [/td]
[td]Accède à la mémoire de [/td]
[td]C:\Program Files (x86)\Mozilla Firefox\firefox.exe [/td]
[/tr]
[tr]
[td]2012-09-18 14:42:44 [/td]
[td]C:\Users\Mani\AppData\Local\Temp\03OhmWv.exe [/td]
[td]Termine le processus [/td]
[td]C:\Program Files (x86)\Mozilla Firefox\firefox.exe [/td]
[/tr]
[tr]
[td]2012-09-18 14:42:44[/td]
[td]C:\Users\Mani\AppData\Roaming\1.exe[/td]
[td]Exécuté dans la Sandbox comme [/td]
[td]Partiellement limité[/td]
[/tr]
[tr]
[td]2012-09-18 14:43:02[/td]
[td]C:\Users\Mani\AppData\Local\Temp\03OhmWv.exe[/td]
[td]Modifie la clé[/td]
[td]HKUS\S-1-5-21-2694863246-781080281-2206063693-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell[/td]
[/tr]
[tr]
[td]2012-09-18 14:43:02 [/td]
[td]C:\Users\Mani\AppData\Roaming\1.exe [/td]
[td]Accède à la mémoire de [/td]
[td]C:\Program Files (x86)\Mozilla Firefox\firefox.exe [/td]
[/tr]
[tr]
[td]2012-09-18 14:43:02 [/td]
[td]C:\Users\Mani\AppData\Roaming\1.exe [/td]
[td]Termine le processus [/td]
[td]C:\Program Files (x86)\Mozilla Firefox\firefox.exe [/td]
[/tr]
[tr]
[td]2012-09-18 14:43:02 [/td]
[td]C:\Users\Mani\AppData\Roaming\1.exe [/td]
[td]Modifie la clé [/td]
[td]HKUS\S-1-5-21-2694863246-781080281-2206063693-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell [/td]
[/tr]
[tr]
[td]2012-09-18 14:43:02 [/td]
[td]C:\Users\Mani\AppData\Local\Temp\03OhmWv.exe [/td]
[td]Modifie le fichier [/td]
[td]C:\Users\Mani\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ja.lnk [/td]
[/tr]
[tr]
[td]2012-09-18 14:43:02 [/td]
[td]C:\Users\Mani\AppData\Roaming\1.exe [/td]
[td]Modifie le fichier [/td]
[td]C:\Users\Mani\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ja.lnk [/td]
[/tr]

WxMan1 · September 20, 2012, 7:08pm

I think your alright. CIS default minimum protections defended against the attack.

The default execution control for sandbox level:

•Partially Limited (Default) - The application is allowed to access all the Operating system files and resources like clipboard. Modification of protected files/registry keys is not allowed. Privileged operations like loading drivers or debugging other applications are also not allowed.

Recommend that you change to:

•Untrusted - The application is not allowed to access any of the Operating system resources. The application is not allowed to execute more than 10 processes at a time and is run with very limited access rights.

Moreover, sandbox settings should have registry and file virtualization enabled:

Enable file system virtualization - The sandboxed applications are not permitted to modify the files in your ‘real’ file system. Enabling file system virtualization instructs the Sandbox to create a virtual file system in your system. The sandboxed applications write any data only into the created virtual file system, instead of affecting and potentially causing damage to your real file system. If you disable this option, the sandboxed applications may not function correctly because they are not able to create the entries that they need too (Default=Enabled).

Enable registry virtualization -The sandboxed applications are not permitted to access and modify the entries in your ‘real’ Window’s Registry hives. Enabling registry virtualization instructs the Sandbox to create a virtual registry hive in your system. The sandboxed applications write any entries pertaining to them only into the created registry hive, instead of affecting and potentially causing damage to your real registry hives. If you disable this option, the sandboxed applications may not function correctly because they are not able to create the entries that they need too (Default=Enabled).

languy99 · September 20, 2012, 7:12pm

more then likely it tried to reboot to install a driver but when it did it killed itself, so I suspect you are fine. If you want to check scan with malwarebytes and hitman pro and see if they find anything. Also clean out your temp files using ccleaner before doing the scans.

Ohazar · September 21, 2012, 11:02am

Thank you for your answers - I definitely changed the execution control to untrusted!